Win32/Cridex [Threat Name] go to Threat
Win32/Cridex.AA [Threat Variant Name]
| Category | trojan,worm |
| Size | 180224 B |
| Signature database version | 7570 (Oct 11, 2012) |
| Aliases | Worm:Win32/Cridex.E (Microsoft) |
| W32.Cridex (Symantec) | |
| PWS-Zbot.gen.ajn (McAfee) |
Short description
Win32/Cridex.AA is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- %appdata%\KB%number%.exe
The %number% represents a random number.
The trojan may create the following files:
- %appdata%\%variable%\%variable%.srv
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "KB%number%.exe" = "%appdata%\KB%number%.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S%variable%]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\C%variable%]
A string with variable content is used instead of %variable% .
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects sensitive information when the user browses certain web sites.
The trojan collects the following information:
- POP3 account information
- FTP account information
- digital certificates
- cookies
- list of files/folders on specific drive
- login user names for certain applications/services
- login passwords for certain applications/services
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (16) URLs. The HTTP protocol is used.
It can execute the following operations:
- send the list of disk devices and their type to a remote computer
- send the list of files on specific drive to a remote computer
- send files to a remote computer
- download files from a remote computer and/or the Internet
- run executable files
- delete cookies
- monitor network traffic
- modify network traffic
- update itself to a newer version
- send gathered information
The trojan creates and runs a new thread with its own program code in all running processes.
The trojan hooks the following Windows APIs:
- LdrLoadDll (ntdll.dll)
- NtResumeThread (ntdll.dll)
- InitializeSecurityContextA (secur32.dll)
- InitializeSecurityContextW (secur32.dll)
- EncryptMessage (secur32.dll)
- DecryptMessage (secur32.dll)
- DeleteSecurityContext (secur32.dll)
- connect (ws2_32.dll)
- send (ws2_32.dll)
- WSASend (ws2_32.dll)
- recv (ws2_32.dll)
- WSARecv (ws2_32.dll)
- select (ws2_32.dll)
- closesocket (ws2_32.dll)
- getaddrinfo (ws2_32.dll)
- gethostbyname (ws2_32.dll)
- PFXImportCertStore (crypt32.dll)
- PR_Connect (nspr4.dll)
- PR_Write (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Poll (nspr4.dll)
- PR_Close (nspr4.dll)
- SSL_ImportFD (ssl3.dll)