Skip to main content

Worm.Win32.Cridex_bfc0fb5aef


Trojan.Win32.Bublik.bobr (Kaspersky), Worm.Win32.Cridex.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: bfc0fb5aeffba2006cbd34d128261e2f

SHA1: 43867039def8d0da1cd2ab2e7b310237d1be3827

SHA256: 3efd470db941e050a74f8151a7e2e742d3708854547e6b61f6fd5d7729584d7b

SSDeep: 6144:yEU1G50Mwm/cYOKkYMGLHoVBw9l0dvgxC6DKWLIa9:M1OieVHoVB6AiChWUm

Size: 203776 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: LLC Pentagon

Created at: 2013-12-10 05:27:38

Analyzed on: WindowsXP SP3 32-bit

Summary: Worm. A program that is primarily replicating on networks or removable drives.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

KB01202533.exe:700
KB01202533.exe:1844
exp3.tmp.exe:1056
exp2.tmp.exe:1080
%original file name%.exe:1040

The Worm injects its code into the following process(es):No processes have been created.

File activity

The process exp3.tmp.exe:1056 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\KB01202533.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exp4.tmp.bat (195 bytes)

The process %original file name%.exe:1040 makes changes in the file system.


The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\KB01202533.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exp1.tmp.bat (189 bytes)

Registry activity

The process KB01202533.exe:700 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 CD FF 4F 8F 76 31 67 28 A5 31 A3 44 73 5F B6"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process KB01202533.exe:1844 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 5A 19 69 3B CC 47 58 D8 5F A9 E7 09 16 19 1C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process exp3.tmp.exe:1056 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 79 77 AE EA 05 07 A2 91 30 22 88 B5 20 C1 87"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process exp2.tmp.exe:1080 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 AB 57 B1 32 AC CF 14 2B 3D 4A 96 5B 0D 45 95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:1040 makes changes in the system registry.


The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 5C A5 FB 10 43 0F E1 D0 AA 81 20 CC B8 45 47"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Network activity (URLs)

URL IP
hxxp://softsysdnl.ru/lEE/eCAAA/szpmMBAA/JFfkq/ (Malicious)212.7.219.46
hxxp://updote-serv3.ru/lEE/eCAAA/szpmMBAA/JFfkq/ (Malicious)91.230.204.132


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in Secur32.dll:

InitializeSecurityContextA
DecryptMessage
SealMessage
InitializeSecurityContextW
DeleteSecurityContext

The Worm installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
WSARecv
send
connect
closesocket

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    KB01202533.exe:700
    KB01202533.exe:1844
    exp3.tmp.exe:1056
    exp2.tmp.exe:1080
    %original file name%.exe:1040

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Application Data\KB01202533.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\exp4.tmp.bat (195 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\exp1.tmp.bat (189 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps