Analysis by: Mark Joseph Manahan
ALIASES:

Win32/Cridex.AA worm (Microsoft), W32.Cridex (Symantec), Worm:Win32/Cridex.E (Microsoft)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It executes then deletes itself afterward.

  TECHNICAL DETAILS

File Size: 155,648 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 27 Mar 2013

Arrival Details

This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %User Profile%\Application Data\KB{random number}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

  • %User Profile%\Application Data\{random folder}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It executes then deletes itself afterward.

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number}.exe = "%User Profile%\Application Data\KB{random number}.exe"

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.106.162:8080
  • http://{BLOCKED}.{BLOCKED}.94.212:8080
  • http://{BLOCKED}.{BLOCKED}.208.130:8080
  • http://{BLOCKED}.{BLOCKED}.5.195:8080
  • http://{BLOCKED}.{BLOCKED}.3.246:8080
  • http://{BLOCKED}.{BLOCKED}.207.52:8080
  • http://{BLOCKED}.{BLOCKED}.201.180:8080
  • http://{BLOCKED}.{BLOCKED}.74.5:8080
  • http://{BLOCKED}.{BLOCKED}.36.93:8080
  • http://{BLOCKED}.{BLOCKED}.200.151:8080
  • http://{BLOCKED}.{BLOCKED}.99.48:8080
  • http://{BLOCKED}.{BLOCKED}.53.168:8080
  • http://{BLOCKED}.{BLOCKED}.160.142:8080
  • http://{BLOCKED}.{BLOCKED}.143.90:8080
  • http://{BLOCKED}.{BLOCKED}.156.20:8080
  • http://{BLOCKED}.{BLOCKED}.130.98:8080
  • http://{BLOCKED}.{BLOCKED}.135.227:8080
  • http://{BLOCKED}.{BLOCKED}.167.124:8080
  • http://{BLOCKED}.{BLOCKED}.204.148:8080
  • http://{BLOCKED}.{BLOCKED}.90.92:8080
  • http://{BLOCKED}.{BLOCKED}.155.222:8080
  • http://{BLOCKED}.{BLOCKED}.218.123:8080