Win32/Dridex [Threat Name] go to Threat

Win32/Dridex.P [Threat Variant Name]

Category trojan
Size 167936 B
Detection created Apr 23, 2015
Detection database version 11521
Aliases Trojan.Win32.Yakes.lopg (Kaspersky)
  Backdoor:Win32/Drixed.D (Microsoft)
  Trojan.Dridex.185 (Dr.Web)
Short description

Win32/Dridex.P is a trojan which tries to download other malware from the Internet.

Installation

The trojan may create copies of the following files (source, destination):

  • %originalmalwarefilepath%, %localappdata%\­Low\­%variable1%\­%variable2%.exe

The trojan may create the following files:

  • %localappdata%\­Low\­%variable3%.sdb
  • %localappdata%\­Low\­%variable4%.bat

The trojan may execute the following commands:

  • cmd.exe /c %localappdata%\­Low\­%variable1%\­%variable2%.exe
  • %localappdata%\­Low\­%variable1%\­%variable2%.exe
  • sdbinst.exe /q %localappdata%\­Low\­%variable3%.sdb
  • %localappdata%\­Low\­%variable4%.bat
  • %system%\­iscsicli.exe

A string with variable content is used instead of %variable1-4% .


The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Information stealing

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan contains a list of (3) URLs.


It tries to download a file from the addresses. The file is then executed.


The HTTPS protocol is used in the communication.


The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable1%}\­ShellFolder\­0]

A string with variable content is used instead of %variable1% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.