Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

The following files are dropped in the %system% folder:

CelInDriver.sys
windhcp.ocx

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CelInDrv]
"Type" = "1"
"ErrorControl" = "0"
"Start" = "4"
"ImagePath" = "\??\%system32%\CelInDriver.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc]
"Type" = "16"
"Start" = "2"
"ErrorControl" = "0"
"ImagePath" = "%system32%\rundll32.exe windhcp.ocx,start"
"DisplayName" = "Windows DHCP Service"
"ObjectName" = "LocalSystem"
"Description"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDHCPsvc\Security]
"Security"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV]
"NextInstance" = "1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000]
"Service" = "CelInDrv"
"Legacy" = "1"
"ConfigFlags" = "0"
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "CelInDrv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CELINDRV\0000\Control]
"*NewlyCreated*" = "0"
"ActiveService" = "CelInDrv"

 

Information stealing

The trojan collects various information when a certain application is being used. The trojan can send the information to a remote machine. The HTTP protocol is used.