Win32/Dridex [Threat Name] go to Threat

Win32/Dridex.M [Threat Variant Name]

Category trojan
Size 368640 B
Detection created Mar 27, 2015
Detection database version 11386
Aliases Backdoor:Win32/Drixed.C (Microsoft)
  Trojan-Dridex (McAfee)
Short description

Win32/Dridex.M is a trojan that steals sensitive information. It can be controlled remotely. The trojan is usually a part of other malware.


When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable1%.tmp

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "rundll32.exe %appdata%\­%variable1%.tmp %variable3%"

A string with variable content is used instead of %variable1-3% .

The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • explorer.exe

The trojan may create and run a new thread with its own program code within any running process.

By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.

Information stealing

The trojan collects the following information:

  • Internet Explorer version
  • operating system version
  • information about the operating system and system settings
  • computer name
  • hardware information
  • CPU information
  • memory status
  • network adapter information
  • computer IP address
  • cookies
  • digital certificates

The trojan collects information used to access certain sites.

The trojan is able to log keystrokes.

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

It uses its own P2P network for communication.

The trojan opens some TCP ports.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • send gathered information
  • send the list of files on a specific drive to a remote computer
  • delete cookies
  • create Registry entries
  • modify network traffic
  • redirect network traffic
  • modify the content of websites

The trojan affects the behavior of the following applications:

  • Trusteer Rapport

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable1%}\­ShellFolder]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable2%}\­ShellFolder]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable3%}\­ShellFolder]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable4%}\­ShellFolder]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable5%}\­ShellFolder]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable6%}\­ShellFolder]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable7%}\­ShellFolder]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable8%}\­ShellFolder]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable9%}\­ShellFolder]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable10%}\­ShellFolder]

The trojan may create the following files:

  • %localappdata%\­Low\­%variable11%.sdb
  • %localappdata%\­Low\­%variable12%.bat

The trojan may execute the following commands:

  • netsh advfirewall firewall add rule name="Core Networking - Multicast Listener Done (ICMPv4-In)" program="%windir%\­explorer.exe" dir=in action=allow protocol=TCP localport=any
  • %localappdata%\­Low\­%variable12%.bat
  • sdbinst.exe /q %localappdata%\­Low\­%variable11%.sdb
  • %system%\­iscsicli.exe

A string with variable content is used instead of %variable1-12% .

The trojan hooks the following Windows APIs:

  • GetProcAddress (kernel32.dll)
  • InternetSetStatusCallbackA (wininet.dll)
  • InternetSetStatusCallbackW (wininet.dll)
  • InternetOpenA (wininet.dll)
  • InternetOpenW (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetQueryOptionA (wininet.dll)
  • InternetQueryOptionW (wininet.dll)
  • InternetSetOptionA (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpQueryInfoW (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • TranslateMessage (user32.dll)
  • WSAEventSelect (ws2_32.dll)
  • WSAEnumNetworkEvents (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • recv (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • WSAGetOverlappedResult (ws2_32.dll)
  • PR_Read (nss3.dll)
  • PR_Write (nss3.dll)
  • PR_Close (nss3.dll)
  • GetClipboardData (user32.dll)
  • CryptGetUserKey (advapi32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.