Virus Information provided by ZoneAlarm
Virus Information powered by Computer Associates
Virus Name: Centim Family
Pervasiveness:  
1 of 5
Destructiveness:  
3 of 5
Wildness:  
2 of 5
Type: Trojan
Aliases: [Win32.]Centim Family; [Win32.]Centim.I; [Win32/]Centim.H!Trojan; [TROJ_]DLOADER.AP (Trend); [Win32.]Centim.F; [Trojan-Downloader.]Win32.Centim.d (Kaspersky); [Win32.]Centim.D; [Win32/]DownLoader.16896!Trojan; [Win32.]Centim.E; [Troj/]Dloader-GC (Sophos); [Troj/]Dloader-GG (Sophos); [Trojan-Downloader.]Win32.Centim.g (Kaspersky); [Win32.]Centim.C; [Trojan-Downloader.]Win32.Centim.a (Kaspersky); [TROJ_]DLOADER.GG (Trend); [Trojan-Downloader.]Win32.Small.adv (Kaspersky); [Win32.]Centim.K; [Win32.]Centim.B; [Downloader-]TQ (McAfee); [Troj/]Dloader-FY (Sophos); [Troj/]DownLdr-GE (Sophos); [Win32/]Centim!Trojan; [TROJ_]DLOADER.GX (Trend); [TROJ_]SMALL.ADV (Trend); [Trojan-Downloader.]Win32.Agent.fk (Kaspersky); [Win32.]Centim.A; [Troj/]Dloader-GX (Sophos); [TROJ_]CENTIM.A (Trend); [Trojan-Downloader.]Win32.Agent.hj (Kaspersky); [Win32/]Centim.G!Trojan; [Win32.]Centim.G; [Win32.]Centim.H; [Trojan-Downloader.]Win32.Centim.t (Kaspersky); [Win32].Centim.J;
 
Date Modified: 30-Mar-2005
Date Published: 14-Feb-2005
 
Description:
Win32.Centim are a family of downloading trojans.

When the Centim trojans are executed, they usually create a directory in the %ProgramFilesdir% folder and copy themselves to this directory.

The following registry value is then set so that the trojans can execute themselves at each Windows start.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ <directory name> = "%ProgramFilesdir% \<directory name>\<file name >.exe"

Notes:
<directory name> is the name of the directory the trojan creates
<file name> is the name the trojan copies itself to
%ProgramFilesdir% refers to the location of the Program Files folder, which the trojan finds by querying the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir

There are a number of variants of this trojan with minor changes in functionality that have been reported to Computer Associates. The following lists the variants observed in the wild:

  • Centim.A (size: 9,216 bytes)
    - copies itself to %ProgramFilesdir%\Parallel Tasking\ptask.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parallel Tasking = "%ProgramFilesdir%\Parallel Tasking\ptask.exe"
  • Centim.B (size: 16,896 bytes)
    - copies itself to %ProgramFilesdir%\Parallel Tasking\ptask.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parallel Tasking = "%ProgramFilesdir%\Parallel Tasking\ptask.exe"
  • Centim.C (size: 16,384 bytes)
    - copies itself to %ProgramFilesdir%\Parallel Tasking\ptask.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parallel Tasking = "%ProgramFilesdir%\Parallel Tasking\ptask.exe"
  • Centim.D (size: 22,016 bytes)
    - copies itself to %ProgramFilesdir%\Parallel Tasking\ptask.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parallel Tasking = "%ProgramFilesdir%\Parallel Tasking\ptask.exe"
  • Centim.E (size: 16,896 bytes)
    - copies itself to %ProgramFilesdir%\Parallel Tasking\ptask.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parallel Tasking = "%ProgramFilesdir%\Parallel Tasking\ptask.exe"
  • Centim.F (size: 15,872 bytes)
    - copies itself to %ProgramFilesdir%\Parallel Tasking\ptask.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parallel Tasking = "%ProgramFilesdir%\Parallel Tasking\ptask.exe"
  • Centim.G (size: 13,824 bytes)
    - copies itself to %ProgramFilesdir%\Advanced Interactive Multimedia\aim.exe
    - sets following registry value
    HK LM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Advanced Interactive Multimedia = "%ProgramFilesdir%\Advanced Interactive Multimedia\aim.exe"
  • Centim.H (size: 16,384 bytes)
    - copies itself to %ProgramFilesdir%\Archive\archive.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Archive = "%ProgramFilesdir%\Archive\archive.exe"
  • Centim.I (size: 16,384 bytes)
    - copies itself to %ProgramFilesdir%\Archive\archive.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Archive = "%ProgramFilesdir%\Archive\archive.exe"
  • Centim.J (size: 13,824 bytes)
    - copies itself to %ProgramFilesdir%\Parallel Tasking\ptask.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parallel Tasking = "%ProgramFilesdir%\Parallel Tasking\ptask.exe"
  • Centim.K (size: 98,304 bytes)
    - copies itself to %ProgramFilesdir%\Parallel Tasking\ptask.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parallel Tasking = "%ProgramFilesdir%\Parallel Tasking\ptask.exe"
  • Centim.R (size: 15,872 bytes)
    - copies itself to %ProgramFilesdir%\Time Sync\time.exe
    - sets following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Time Sync = "%ProgramFilesdir%\Time Sync\time.exe"

Downloads and Executes Arbitrary Files

Once executed, the trojans wait a pproximately one hour before they begin downloading files. Files are downloaded from a specified URL and executed from the location " %Temp%\ <random number >.exe ". The trojans retry to download files every hour if the download attempts fail.

%Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is "C:\Documents and Settings\<username>\Local Settings\Temp", or "C:\WINDOWS\TEMP".

At the time of writing, the files that were downloaded contained no data.

After the trojan downloads successfully, it removes the value it initially created in the registry (mentioned in Method of Infection above).

Analysis by Amir Fouda



Top of page