WORM_CRIDEX.GT
Win32/Cridex.AA worm (Microsoft), W32.Cridex (Symantec), Worm:Win32/Cridex.E (Microsoft)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It executes then deletes itself afterward.
TECHNICAL DETAILS
155,648 bytes
EXE
Yes
27 Mar 2013
Arrival Details
This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
Installation
This worm drops the following copies of itself into the affected system and executes them:
- %User Profile%\Application Data\KB{random number}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It creates the following folders:
- %User Profile%\Application Data\{random folder}
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It executes then deletes itself afterward.
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number}.exe = "%User Profile%\Application Data\KB{random number}.exe"
Other Details
This worm connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.106.162:8080
- http://{BLOCKED}.{BLOCKED}.94.212:8080
- http://{BLOCKED}.{BLOCKED}.208.130:8080
- http://{BLOCKED}.{BLOCKED}.5.195:8080
- http://{BLOCKED}.{BLOCKED}.3.246:8080
- http://{BLOCKED}.{BLOCKED}.207.52:8080
- http://{BLOCKED}.{BLOCKED}.201.180:8080
- http://{BLOCKED}.{BLOCKED}.74.5:8080
- http://{BLOCKED}.{BLOCKED}.36.93:8080
- http://{BLOCKED}.{BLOCKED}.200.151:8080
- http://{BLOCKED}.{BLOCKED}.99.48:8080
- http://{BLOCKED}.{BLOCKED}.53.168:8080
- http://{BLOCKED}.{BLOCKED}.160.142:8080
- http://{BLOCKED}.{BLOCKED}.143.90:8080
- http://{BLOCKED}.{BLOCKED}.156.20:8080
- http://{BLOCKED}.{BLOCKED}.130.98:8080
- http://{BLOCKED}.{BLOCKED}.135.227:8080
- http://{BLOCKED}.{BLOCKED}.167.124:8080
- http://{BLOCKED}.{BLOCKED}.204.148:8080
- http://{BLOCKED}.{BLOCKED}.90.92:8080
- http://{BLOCKED}.{BLOCKED}.155.222:8080
- http://{BLOCKED}.{BLOCKED}.218.123:8080