Follow:

 

Win32/Cridex


Microsoft security software detects and removes this threat. 
 
This worm can steal your personal information, including your online banking user names and passwords. It can also steal your user names and passwords for social networking websites.
 
It can be installed on your PC via infected removable drives, such as USB flash drives. It can also be installed by other malware, such as TrojanDownloader:Win32/Skidlo.A and Exploit:JS/Blacole.


What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
When run, Win32/Cridex installs a copy of itself as a randomly named file as in one of the following examples:
  • %USERPROFILE% \Application Data\kb<random numerals>.exe (i.e. "kb323934.exe")
  • %USERPROFILE% \Application Data\<random hexadecimal string>.exe (i.e. "9f9d8315.exe")

The registry is modified to run the worm copy at each Windows start.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "random string" (i.e "9f9d8315")
With data: "Win32/Cridex file name" (i.e. "9f9d8315.exe")

Win32/Cridex launches the worm copy and deletes its dropper. Win32/Cridex injects itself into every running process and hooks the API "ZwResumeThread" to ensure it will load into each newly created process.

Spreads via...

Removable drives

Win32/Cridex can create the following copies on removable drives, such as USB flash drives:

  • <drive:>\lnoqrz\bfnpyo.exe

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Steals and shares financial logon details

Win32/Cridex hooks various network related APIs in the web browser process (e.g. "iexplorer.exe" and "firefox.exe") to monitor and redirect HTTP and HTTPS traffic and capture online banking credentials. We have seen it steal credentials for a number of banking websites, including the following:

  • bankofamerica.com
  • chaseonline.chase.com
  • citibank.com
  • cibng.ibanking-services.com
  • ebanking-services.com
  • ibanking-services.com
  • bankonline.umpquabank.com
  • nsbank.com
  • comerica.com
  • securentry.calbanktrust.com
  • express.53.com
  • homebank.nbg.gr
  • online.ccbank.bg
  • ebanking.eurobank.gr
  • itreasury.regions.com
  • wellsfargo.com
  • www2.firstbanks.com
Captures logon credentials
 
Win32/Cridex may capture logon information from websites such as the following:
  • Facebook.com
  • Twitter.com
  • Blogger.com
  • Flickr.com
  • Livejournal.com

Communicates with a remote server

Win32/Cridex communicates via SSL with a remote server that is used for command and control of the malware. We have seen Win32/Cridex connect with the following domains:

  • evenconc.ru
  • extorld.ru
  • imbingdo.ru
  • muvinor.ru
  • pecoran.ru
  • shushev.ru

Win32/Cridex can be told to perform any of the following actions:

  • Export installed certificates and pack them into cabinet file
  • Clean cookies for various software, e.g. Internet Explorer, Firefox, Adobe Flash
  • Download and run other files
  • Search and upload local files
  • Upload collected certificates and credentials
  • Retrieve configuration data and store it in the registry, for example, HKCU\Software\Microsoft\Windows Media Center\<random hex string>\Default

Analysis by Shawn Wang


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
     
    %USERPROFILE%\Application Data\kb<random numerals>.exe (i.e. "kb323934.exe")
    %USERPROFILE%\Application Data\<random hexadecimal string>.exe (i.e. "9f9d8315.exe")
     
  • You see this entries or keys in your registry:
     
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "random string" (i.e "9f9d8315")
    With data: "Win32/Cridex file name" (i.e. "9f9d8315.exe")

Prevention


Alert level: Severe
This entry was first published on: Sep 29, 2011
This entry was updated on: May 13, 2014

This threat is also detected as:
  • PWS-Spyeye.de (McAfee)