Home / malwarePDF  

Worm:MSIL/Cribz.A


First posted on 30 October 2014.
Source: Microsoft

Aliases :

There are no other names known for Worm:MSIL/Cribz.A.

Explanation :

Threat behavior

Installation

Worm:MSIL/Cribz.A installs a copy of itself on your PC in the following location:

  • \.exe
  • %TEMP% \.exe


We have seen it uses file names such as pxcfx.exe and qbpye.exe.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "", for example "%TEMP%\pxcfx.exe"
With data: "%TEMP%\.exe -w" for example "%TEMP%\pxcfx.exe -w"

The malware also adds itself to your firewall's authorized applications list so its outside communications won't be blocked by the firewall. It does this by creating the following registry entries:

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Sets value: "", for example "\qbpye.exe"
With data: ":*:Enabled:", for example "\qbpye.exe:*:Enabled:Qbpye"

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "", for example "\qbpye.exe"
With data: ":*:Enabled:", for example "\qbpye.exe:*:Enabled:Qbpye"

The malware checks for an Internet connection by querying any of the following servers:

  • amazon.com
  • aol.com
  • ask.com
  • bing.com
  • facebook.com
  • google.com
  • live.com
  • yahoo.com
  • msn.com
  • twitter.com
  • youtube.com


Payload

Sends infected emails

Worm:MSIL/Cribz.A sends an email to all of your email contacts stored in your default email client, such as Outlook. It attaches itself to this email as a .zip file.

We have seen it send emails that look like the following:





The name of the file in the attached ZIP file uses the format .exe. We have seen the following examples:

  • affidamento.doc .exe
  • bozze.bmp _7z.exe
  • Collaborazione.txt .exe
  • candidatura.odt _7z.exe
  • conferma.jpg .exe
  • denuncia.txt _7z.exe
  • esperienze.jpg _7z.exe
  • evento.ppt _7z.exe
  • fatturati.docx _7z.exe
  • Fincantieri.txt _7z.exe
  • formazione.ppt .exe
  • iscrizione.txt _7z.exe
  • KEYOPEN.EXE
  • offerta.mdb .exe
  • OdG.odt _7z.exe
  • OdG.txt .exe
  • pensiero.db .exe
  • presenze.jpg .exe
  • proposte.txt .exe
  • quotidiano.pptx .exe
  • ratei.docx .exe
  • ritocchi.xlsx .exe
  • scheda.ppt .exe
  • Stop.docx _7z.exe
  • TERMINI.EXE
  • tfr.ppt .exe
  • versamenti.txt _7z.exe


The file name attempts to trick the email recipient into thinking the attachment is a valid document or image, and not a malicious executable file.

Lowers your PC security settings

This malware drops a .reg file in %TEMP% and runs it using Regedit.exe. The .reg file contains registry modifications that can lower your PC security settings.

This can also stop your security software from working correctly.

Some examples of the registry entries that are added or modified include:

In subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Access\Security
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Excel\Security
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
Sets value: "Level"
With data: "dword:00000001"

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2004"
With data: "dword:00000000"
Sets value: "2001"
With data: "dword:00000000"
Sets value: "1A10"
With data: "dword:00000001"

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Sets value: "1"
With data: "avgnt.exe"
Sets value: "2"
With data: "avguard.exe"
Sets value:"3"
With data: "avshadow.exe"
Sets value:"4"
With data: "AVWEBGRD.EXE"
Sets value:"5"
With data: "sched.exe"
Sets value: "6"
With data: "AvastSvc.exe"
Sets value: "7"
With data: "AvastUI.exe"
Sets value: "8"
With data: "afwServ.exe"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Sets value: "AllAlertsDisabled"
With data:"dword:00000001"
Sets value: "AntiVirusDisableNotify"
With data:"dword:00000001"
Sets value: "AntiVirusOverride"
With data:"dword:00000001"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Sets value: "AllAlertsDisabled"
With data: dword:00000001"
Sets value: "AntiVirusDisableNotify"
With data: dword:00000001"
Sets value: "AntiVirusOverride"
With data: dword:00000001"
Sets value: "DisableMonitoring"
With data: dword:00000001"
Sets value: "FirewallDisableNotify"
With data: dword:00000001"

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Sets value:"ServiceMain"
With data: "SvchostEntry_W32Time"



Analysis by Ric Robeilos

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:

    In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Sets value: "", for example "%TEMP%\pxcfx.exe"
    With data: "%TEMP%\.exe -w" for example "%TEMP%\pxcfx.exe -w"

    In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    Sets value: "", for example "\qbpye.exe"
    With data: ":*:Enabled:", for example "\qbpye.exe:*:Enabled:Qbpye"

    In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "", for example "\qbpye.exe"
    With data: ":*:Enabled:", for example "\qbpye.exe:*:Enabled:Qbpye"

Last update 30 October 2014

 

TOP