Win32/Cridex [Threat Name] go to Threat
Win32/Cridex.AA [Threat Variant Name]
|Detection created||Oct 10, 2012|
|Signature database version||7570|
Win32/Cridex.AA is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.
When executed, the trojan copies itself into the following location:
The %number% represents a random number.
The trojan may create the following files:
In order to be executed on every system start, the trojan sets the following Registry entry:
- "KB%number%.exe" = "%appdata%\KB%number%.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S%variable%]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\C%variable%]
A string with variable content is used instead of %variable% .
After the installation is complete, the trojan deletes the original executable file.
The trojan collects sensitive information when the user browses certain web sites.
The trojan collects the following information:
- POP3 account information
- FTP account information
- digital certificates
- list of files/folders on specific drive
- login user names for certain applications/services
- login passwords for certain applications/services
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (16) URLs. The HTTP protocol is used.
It can execute the following operations:
- send the list of disk devices and their type to a remote computer
- send the list of files on specific drive to a remote computer
- send files to a remote computer
- download files from a remote computer and/or the Internet
- run executable files
- delete cookies
- monitor network traffic
- modify network traffic
- update itself to a newer version
- send gathered information
The trojan creates and runs a new thread with its own program code in all running processes.
The trojan hooks the following Windows APIs:
- LdrLoadDll (ntdll.dll)
- NtResumeThread (ntdll.dll)
- InitializeSecurityContextA (secur32.dll)
- InitializeSecurityContextW (secur32.dll)
- EncryptMessage (secur32.dll)
- DecryptMessage (secur32.dll)
- DeleteSecurityContext (secur32.dll)
- connect (ws2_32.dll)
- send (ws2_32.dll)
- WSASend (ws2_32.dll)
- recv (ws2_32.dll)
- WSARecv (ws2_32.dll)
- select (ws2_32.dll)
- closesocket (ws2_32.dll)
- getaddrinfo (ws2_32.dll)
- gethostbyname (ws2_32.dll)
- PFXImportCertStore (crypt32.dll)
- PR_Connect (nspr4.dll)
- PR_Write (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Poll (nspr4.dll)
- PR_Close (nspr4.dll)
- SSL_ImportFD (ssl3.dll)