Win32/Dridex [Threat Name] go to Threat

Win32/Dridex.Y [Threat Variant Name]

Category trojan
Size 146432 B
Detection created Nov 12, 2015
Detection database version 12556
Aliases Trojan.Win32.Agent.ihhm (Kaspersky)
  Backdoor:Win32/Drixed (Microsoft)
  Trojan.Cridex (Symantec)
Short description

Win32/Dridex.Y is a trojan which tries to download other malware from the Internet.


The trojan may create copies of itself using the following filenames:

  • %localappdata%\­%variable1%\­%variable2%.exe
  • %localappdata%\­Low\­%variable1%\­%variable2%.exe

The following files may be dropped:

  • %localappdata%\­Low\­%variable3%.sdb
  • %localappdata%\­Low\­%variable3%.bat

The trojan executes the following command:

  • sdbinst.exe /q %localappdata%\­Low\­%variable3%.sdb

Win32/Dridex.Y attempts to gain administrative privileges on the system.

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CLSID\­{%variable4%}\­ShellFolder]
    • "(Default)" = %binaryvalue%

A string with variable content is used instead of %variable1-4% .

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • computer name
  • installed program components under  [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall] Registry subkeys

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan terminates processes with any of the following strings in the name:

  • Progman
  • Program Manager

The trojan may delete files stored in the following folders:

  • %AVGapplicationfolder%\­update\­

The trojan may create the following files:

  • %AVGapplicationfolder%\­update\­download

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP, HTTPS protocol is used in the communication.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files

Please enable Javascript to ensure correct displaying of this content and refresh this page.