BKDR_CRIDEX.GO

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following copies of itself into the affected system and executes them:

• %User Profile%\Application Data\KB{random number}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following files:

• %User Profile%\Application Data\{random folder name}\{random file name}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

• %User Profile%\Application Data\{random folder name}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number}.exe = "%User Profile%\Application Data\KB{random number}.exe"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random value 1}

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random value 2}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

Other Details

This backdoor connects to the following possibly malicious URL:

• http://{BLOCKED}.{BLOCKED}.61.59:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.102.204:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.188.156:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.68.239:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.174.136:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.17.180:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.226.30:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.156.170:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.109.204:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.147.52:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.30.202:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.23.100:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.100.41:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.73.220:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.94.96:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.221.6:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.19.236:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.89.82:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.107.25:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.237.170:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.229.10:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.113.66:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.120.32:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.250.157:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.100.108:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA
• http://{BLOCKED}.{BLOCKED}.129.120:8080/LvI/xCA/GoZZkCAAAA/Noy6SAAAA

It deletes the initially executed copy of itself