Worm.Win32.Cridex_3a3ae18e97

by malwarelabrobot on December 20th, 2013 in Malware Descriptions.

Trojan.Win32.Bublik.bohq (Kaspersky), Worm.Win32.Cridex.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 3a3ae18e970cf1e58a7c4ca8241c5e49
SHA1: 2a7a948abb57a8436a6cf71c44ebdf8fab78b77f
SHA256: e3053f672c119aa5e19b3209ac2064766aef94f7ff8d450cc0740f775825bc9a
SSDeep: 3072:weeu4h2W5WlkhtxW7IZOblRBqvTs7StITaFyY/k:EhX0khfW7UObl7q3IS/k
Size: 160768 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: LLC Pentagon
Created at: 2013-12-16 20:27:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

KB01202533.exe:532
KB01202533.exe:940
%original file name%.exe:960
exp2.tmp.exe:1644

The Worm injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:960 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\KB01202533.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exp1.tmp.bat (189 bytes)

The process exp2.tmp.exe:1644 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\KB01202533.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exp3.tmp.bat (195 bytes)

Registry activity

The process KB01202533.exe:532 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 87 B1 0A 7F 53 D1 A2 3C 0F FB C0 A3 B7 02 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process KB01202533.exe:940 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 9F 94 D1 D3 40 4D E5 0E 8E 55 CD 27 FC AD F7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:960 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process exp2.tmp.exe:1644 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 F6 A1 45 24 C3 E1 FB 0A FF 5C 83 68 F8 9E 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Network activity (URLs)

URL IP
hxxp://83.167.37.101/lEE/eCAAA/szpmMBAA/JFfkq/
hxxp://88.191.146.91/lEE/eCAAA/szpmMBAA/JFfkq/


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in Secur32.dll:

InitializeSecurityContextA
DecryptMessage
SealMessage
InitializeSecurityContextW
DeleteSecurityContext

The Worm installs the following user-mode hooks in WS2_32.dll:

WSASend
recv
WSARecv
send
connect
closesocket

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    KB01202533.exe:532
    KB01202533.exe:940
    %original file name%.exe:960
    exp2.tmp.exe:1644

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Application Data\KB01202533.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\exp1.tmp.bat (189 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\exp3.tmp.bat (195 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now