Worm:Win32/Cridex.G

Worm:Win32/Cridex.G is a worm - a self-propagating program that can spread itself from one computer to another. Worms may spread themselves via a variety of different channels in order to compromise new computers. Commonly, worms may spread directly by copying themselves to removable or network drives, or by attempting to exploit particular vulnerabilities on targeted computers. Worms also often attempt to spread via platforms that require user interaction in order to run. They may send themselves as an attachment to an email or an instant message, or send a link to a copy of themselves in the body of a message. In these cases the message needs to be convincing enough to encourage the victim to click on the link or attachment and run or download a copy of the worm.

Installation

When run, Worm:Win32/Cridex.G copies itself as the following file:

%AppData%\KB<eight-digit number>.exe

It modifies the following registry entry to make sure its copy runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "KB<eight-digit number>.exe"
With data: "%AppData%\KB<eight-digit number>.exe"

It injects code into legitimate Windows processes to prevent itself from being detected and removed. When Worm:Win32/Cridex.G executes, it may inject code into running processes such as the following:

• explorer.exe
• firefox.exe
• iexplore.exe

Spreads via...

Removable drives

Worm:Win32/Cridex.G drops a copy ot itself into all available removable drives. It uses a random file name for its copy, and it places the copy in a randomly-named folder, for example:

<drive:>\dfusdyiunm34\etdh.exe

It creates a file named "autorun.inf", which causes the worm copy to automatically run whenever the drive is accessed and if Autorun is enabled in your computer. Note that Microsoft has released an update to disable Autorun in Windows. We recommend that you run the update to disable Autorun in your computer. More information can be found here.

Payload

Connects to remote servers

Worm:Win32/Cridex.G may connect to the servers located in the following IP addresses via port 8080:

• 110.234.150.163
• 123.49.61.59
• 173.203.96.79
• 184.106.189.124
• 190.81.107.70
• 202.143.147.35
• 203.172.252.26
• 203.172.252.29
• 203.217.147.52
• 211.44.250.173
• 41.168.5.140
• 83.238.208.55
• 89.111.176.87
• 91.121.103.143
• 95.142.167.193
• 97.74.75.172

Malware has been known to connect to remote servers to do any of the following:

• Confirm Internet connectivity
• Report a new infection to its author
• Receive configuration data or other data
• Download and execute arbitrary files (including updates or additional malware)
• Receive instruction from a remote attacker
• Upload data taken from your computer

Analysis by Edgardo Diaz