Home Malware Programs Rootkits Crisis


Posted: August 22, 2012

Threat Metric

Threat Level: 2/10
Infected PCs: 28
First Seen: August 22, 2012
OS(es) Affected: Windows

Crisis is a rootkit that is also known as Morcut and includes broadly-applicable spyware functions – such as keylogging – along with an impressively-varied set of installation tactics. Unlike most rootkits, Crisis is fully functional for both Windows and Mac OS X environments, besides including installation routines for virtual machines and Windows-based mobile platforms. All variants of Crisis should be considered dangerous and highly-invasive to your PC's privacy, since Crisis can install other PC threats, transfer confidential information to remote attackers or disable important security features. Many PC security companies have developed adequate definitions for Crisis as of the time of this writing and Crisis should be removable by updated anti-malware products, although SpywareRemove.com malware researchers prefer that you avoid falling for Crisis's installation scam (a fake Adobe update) in the first place.

Crisis: A Danger for Most OSes and Quite a Few of the Programs That Reside Within Them

Crisis's sordid story begins with a malicious JavaScript applet that pretends to be an update for Adobe software. PC users who trust this applet enough to install its proffered software will have their operating system detected, after which a suitable variant of Crisis is dropped on the PC. Along with the cross-brand compatibility that launched Crisis into minor infamy, Crisis also includes infection methods for virtual machines – a notable achievement, since most PC threats will disable themselves in VM environments to avoid analysis from PC security companies.

After its installation, Crisis creates a backdoor vulnerability to contact a C&C server. This allows criminals to exercise control over your PC and should be considered a high-level breach of your privacy and security. SpywareRemove.com malware analysts have also noted other attacks by Crisis that can be applied to stealing sensitive information or furthering the contamination of the infected computer, such as:

  • Monitoring text, voice and video communications from instant messaging programs like Skype and MSN Messenger.
  • Recording keyboard input and even mouse coordinates.
  • Taking screenshots.
  • Monitoring your webcam and microphone.
  • Tracking which websites are visited according to their web addresses.
  • Spying on address book entries.

How to Bring an End to This Crisis

Crisis uses rootkit techniques to conceal itself and accomplish many of its attacks, and SpywareRemove.com malware researchers recommend that you use suitably-advanced anti-malware applications to detect and delete Crisis without further problems. Crisis is unlikely to display memory processes or files of its own while Crisis is active, but should be considered open by default unless exceptional measures are taken to disable Crisis. Booting your PC from a clean USB drive, if possible, is recommended.

However, care should be taken when introducing removable devices to a Crisis-infected PC. SpywareRemove.com malware experts have also noted that Crisis includes limited functions to copy itself to removable drives and automatically infect other computers that are exposed to these devices. You should avoid sharing USB drives and other such devices between a Crisis-infected computer and an uninfected system unless you've used anti-malware software to verify that the device is clean.

Technical Details

Additional Information

The following URL's were detected: