Home / malware W32.Cridex.B
First posted on 24 June 2014.
Source: SymantecAliases :
There are no other names known for W32.Cridex.B.
Explanation :
The Trojan may arrive on the compromised computer through phishing emails.
One executed, the Trojan creates the following files:
%UserProfile%\Application Data\[RANDOM DIGITS].bat%UserProfile%\Application Data\Microsoft\[THREE RANDOM CHARACTERS][RANDOM WORD].exe
Note: [RANDOM WORD] may be one of the following:
api32audiobiosbootcap32commonconfigcryptedit32errormgr32serialsetupsharesocksystemupdatevideowindows
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[THREE RANDOM CHARACTERS][RANDOM WORD].exe" = "%UserProfile%\Application Data\Microsoft\[THREE RANDOM CHARACTERS][RANDOM WORD].exe"
It also creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"GlobalUserOffline" = "0"
The Trojan also creates the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\[EIGHT RANDOM CHARACTERS]\[TEN RANDOM CHARACTERS]
The Trojan may then connect to port 8080 on the following IP addresses:
58.97.0.531.192.210.8650.31.152.113204.93.183.19694.76.218.16669.64.69.19169.64.70.2650.31.152.124162.248.214.137
The Trojan may then inject itself into browser processes in order to monitor communications and steal information from the compromised computer.Last update 24 June 2014
