Worm.Win32.Cridex_0a6771229d

by malwarelabrobot on January 12th, 2014 in Malware Descriptions.

Trojan.GenericKD.1489435 (BitDefender), Worm:Win32/Cridex (Microsoft), Trojan.Win32.Agent.ibjv (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Necurs.97 (DrWeb), Trojan.GenericKD.1489435 (B) (Emsisoft), RDN/PWS-Zbot.agg!c (McAfee), W32.Cridex (Symantec), Worm.Win32.Cridex (Ikarus), Trojan.GenericKD.1489435 (FSecure), Agent4.BMMQ (AVG), Win32:Cridex-Y [Wrm] (Avast), WORM_CRIDEX.NF (TrendMicro), Worm.Win32.Cridex.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 0a6771229dab475f6ca665022cf368b4
SHA1: a227bd945e4088e78332cfc155bcf09724a52365
SHA256: d73a5a66f6defc88012da2d8aaeb1e43c64f03fb390b0d30b2e31cc80592fc60
SSDeep: 3072:dkYKT8fQ2FDsXYV/S 64QAyr6 KAqvEDyVd09syeOqyel4uf:dvWUQYsqS3u5 MA9kx6uf
Size: 196608 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2013-10-10 10:43:41
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

KB00904859.exe:3384
%original file name%.exe:3340

The Worm injects its code into the following process(es):

ctfmon.exe:252

File activity

The process %original file name%.exe:3340 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\KB00904859.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exp1.tmp.bat (189 bytes)

Registry activity

The process ctfmon.exe:252 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The Worm deletes the following value(s) in system registry:
The Worm disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process KB00904859.exe:3384 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:3340 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Network activity (URLs)

URL IP
hxxp://beliyvolkalak.ru/bgb8LDA/pPyyx/yLrJeD/ (Malicious) 185.10.201.168
buriymishka.ru Unresolvable
deepandtouch.ru Unresolvable
djubkafriend.ru Unresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in Secur32.dll:

InitializeSecurityContextA
UnsealMessage
SealMessage
InitializeSecurityContextW
DeleteSecurityContext

The Worm installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
WSARecv
send
connect
closesocket

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    KB00904859.exe:3384
    %original file name%.exe:3340

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Application Data\KB00904859.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\exp1.tmp.bat (189 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.