WORM_CRIDEX.DP

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %User Profile%\Application Data\KB{random number}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %User Profile%\Application Data\{random folder name}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Local\XME%08X
• Local\XMI%08X
• Local\XMM%08X
• Local\XMF%08X
• Local\XMS%08X
• Local\XMR%08X

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number}.exe = "%User Profile%\Application Data\KB{random number}.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random value 1}

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{random value 2}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

Propagation

This worm creates the following folders in all removable drives:

• {drive letter}:\{random folder}

It drops the following copy(ies) of itself in all removable drives:

• {drive letter}:\{random folder}\{random file name}.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open={random folder}\{random file name}.exe
shell\Open\Command={random folder}\{random file name}.exe
shell\Open\Default=1
shell\Explore\Command={random folder}\{random file name}.exe
shell\Autoplay\command={random folder}\{random file name}.exe

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Monitor browser cookies
• Download and execute arbitrary files
• Upload stolen information
• Download configuration files

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}.{BLOCKED}.87.172:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.168.98:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.203.140:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.221.6:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.23.100:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.5.140:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.12.158:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.122.8:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.0.138:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.41.155:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.144.115:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.42.98:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.144.158:8080/mx/5/A/in/
• http://{BLOCKED}.{BLOCKED}.76.102:8080/mx/5/A/in/

Information Theft

This worm monitors the Internet Explorer (IE) activities of the affected system, specifically the address bar or title bar. It recreates a legitimate website with a spoofed login page if a user visits banking sites with the following strings in the address bar or title bar:

• \.com/k1/
• /ach/
• /authentication/zbf/k/
• /bb/logon/
• chase\.com
• /cashman/
• /cashplus/
• /clkccm/
• /cmmain\.cfm
• /cmserver/
• /cmwire
• achredirect\.aspx
• cbonline
• /ebc_ebc1961/
• /ibs\.
• /ibws/
• /icm/
• /icm2/
• /inets/
• /livewire/
• /loginolb/loginolb
• /netbnx/
• /olbb/
• /phcp
• /sbuser/
• /smallbiz/
• /wcmpw/
• /webcm/
• /wire/
• /wires/
• 2checkout\.com
• ablv\.com
• access\.jpmorgan\.com
• access\.usbank\.com
• accessbankplc\.com
• accountoverview\.aspx
• accurint\.com
• achieveaccess\.citizensbank\.com
• achpayment
• achweb\.unionbank\.com
• achworks\.com
• alltimetreasury\.pacificcapitalbank\.com
• alphabank\.com
• amegybank\.com/
• anb\.portalvault\.com
• atbonlinebusiness\.com
• auth\.umb\.com
• authmaster\.nationalcity\.com
• baltikums\.com
• baltikums\.eu
• banesco\.com\.pa
• bankbyweb
• bankfirst\.com
• banking\.calbanktrust\.com
• banking\.firsttennessee\.biz
• accurint\.com
• plainscapital\.gfxwebwire\.com
• sterlingpayment\.com
• rbsm\.com
• business\.swedbank\.lv
• secure\.accesshorizon\.com
• myonline\.bankbv\.com
• cencorpcu\.com/
• banknet\.lv
• bankofbermuda\.com
• bankofcyprus\.com
• bankonline\.sboff\.com
• bankonline\.umpquabank\.com
• bbo\.1stsource\.com
• bib\.lv
• billauth
• billmenu
• bizcurrency\.com
• blilk
• bmo\.com/
• bmoharrisprivatebankingonline\.com
• bmomutualfunds\.com
• bnycash\.bankofny\.com
• bob\-w\.
• bob\.sovereignbank\.com
• bolb\-east\.associatedbank\.com
• bolb\-west\.associatedbank\.com
• bolb\.
• boveda\.banamex\.com\.mx
• bscincky\.com
• business\.macu\.com
• business\.netbankerplus\.com
• business_solutions
• businessaccess\.citibank\.citigroup\.com
• businessappshome
• businessbanking\.cibc\.com
• businessclassonline\.compassbank\.com
• businesslogin
• businessmanager\.com
• businessonline
• businessportal\.mibank\.com
• butterfieldonline\.ky
• bxs\.com
• cashanalyzer\.com
• cashmanager\.mizuhoe\-treasurer\.com
• cashmgmt
• cashmgt
• cashproonline\.bankofamerica\.com
• bankofamerica\.com
• cashproweb\.com/cpwportal
• cbbusinessonline\.com
• cencorpcu\.com
• cfgbusinessaccess\.com
• checkgateway
• checkout\.com/va/login
• cib\.bankofthewest
• cibconline\.cibc\.com
• cimbanque\.net
• citizensbankmoneymanagergps\.com
• cmachm\.w
• cmbmnt\.w
• cmol\.bbt\.com/auth
• cmwirp\.w
• cnbsec1\.
• colb\.
• comerica\.com
• commercebusinessdirect\.com
• commercial\.wachovia\.com
• commercialservices
• connect\.bankcolonial\.com
• connect\.colonialbank\.com
• constitutioncorp\.org
• corpach
• corporate\.epfc\.com
• corporateaccounts
• corporatebankingweb
• corporateconnect\.net
• corpower\.coop
• createcorpwire
• createwire
• cu\.com
• cu\.org
• danskebanka\.lv
• db\-direct\.db\.com
• directline4biz\.com
• directnet\.com
• e\-moneyger
• e\-norvik\.lv
• easywebcpo\.td\.com/waw/idp
• ebanking\-services
• ebemo\.bemobank\.com
• ebill\.highmark\.com
• ecash\.
• ecm\-transfers\.unionbank\.com
• ecms\.unionbank\.com
• efirstbank\.com
• ekp\.lv
• enternetbank\.com
• enterprise2\.openbank\.com
• epd\.uscentral\.org
• eurobankefg\.com
• exact4web
• exness\.com
• express\.53\.com
• expressdeposit\.colonialbank\.com
• fbmedirect\.com
• ffinonline\.com
• ffrontier\.com
• firstbancorp\.com
• firstbanks\.com
• firstcitizens\.com
• fnfgbusinessonline\.enterprisebanker\.com
• fxpayments\.americanexpress\.com
• geonline\.lv
• global\-ebanking\.com
• global1\.onlinebank\.com
• globalink\.leumiusa\.com
• goldleaf
• guard\.scotiabank\.com
• handelsbanken\.lv
• hbcash\.exe
• hblibank\.com
• hbproxy\.exe
• hellenicnetbanking\.com
• hillsbank\.com
• hiponet\.lv
• hkbea
• hsbc\.com\.mx
• i\-linija\.lt
• ib\.dnb\.lv
• ibanking\-services\.com
• ibbpl2\.com
• ibbpowerlink\.com
• ibbusinessnet\.com
• ibcbankonline\.ibc\.com
• ifxmanager\.bankofny\.com
• ifxmanager\.bnymellon\.com
• inetbanker
• injectreceiver
• internationalbanking\.
• internationalpayments\.
• internet\-ebanking\.com
• internetbanker\.cc
• itinternet\.net
• itreasury\.amsouth\.com
• ktt\.key\.com
• lakelandbank\.com
• libertymutualbusinessdirect\.com
• lionbank\.com
• login_business\.asp
• logincm
• loyalbank\.com
• lv\.unicreditbanking\.net
• marfinbank\.com\.cy
• mbachexpress\.com
• mcb\-home\.com/online
• memberach
• metrobankdirect\.com
• midatlanticcorp\.org
• moneymanagergps\.com
• multinetbank\.eu
• my\.statestreet\.com
• mycorporate\.org
• myonlineservices\.cbolobank\.com
• nashvillecitizensbank\.com
• nationalcity\.com/consultnc
• nbarizona\.com/login_business\.jsp
• nbb\.controlsecure\.com
• ncms\-inc\.com
• netteller
• nfbconnect\.com
• northbaybancorp\.com
• northerntrust\.com
• norvik\.lv
• nsbank\.com
• ntrs\.com
• nubi
• olb\.
• olb\.ent\.com/business/
• online\-offshore\.lloydstsb\.com
• online\.1stnb\.com
• online\.alphabank\.com
• online\.citadele\.lv
• online\.dollarbank\.com
• online\.ibl\.com\.lb
• online\.lkb\.lv
• online\.ovcb\.com
• online\.usb\.com\.cy
• online\.wilberbank\.com

Other Details

This worm deletes the initially executed copy of itself

NOTES:

It monitors the following browsers:

• iexplore.exe
• firefox.exe