Worm.Win32.Cridex_bfc0fb5aef
Trojan.Win32.Bublik.bobr (Kaspersky), Worm.Win32.Cridex.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: bfc0fb5aeffba2006cbd34d128261e2f
SHA1: 43867039def8d0da1cd2ab2e7b310237d1be3827
SHA256: 3efd470db941e050a74f8151a7e2e742d3708854547e6b61f6fd5d7729584d7b
SSDeep: 6144:yEU1G50Mwm/cYOKkYMGLHoVBw9l0dvgxC6DKWLIa9:M1OieVHoVB6AiChWUm
Size: 203776 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: LLC Pentagon
Created at: 2013-12-10 05:27:38
Analyzed on: WindowsXP SP3 32-bit
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
KB01202533.exe:700
KB01202533.exe:1844
exp3.tmp.exe:1056
exp2.tmp.exe:1080
%original file name%.exe:1040
The Worm injects its code into the following process(es):
No processes have been created.
File activity
The process exp3.tmp.exe:1056 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\KB01202533.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exp4.tmp.bat (195 bytes)
The process %original file name%.exe:1040 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\KB01202533.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exp1.tmp.bat (189 bytes)
Registry activity
The process KB01202533.exe:700 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 CD FF 4F 8F 76 31 67 28 A5 31 A3 44 73 5F B6"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process KB01202533.exe:1844 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 5A 19 69 3B CC 47 58 D8 5F A9 E7 09 16 19 1C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process exp3.tmp.exe:1056 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 79 77 AE EA 05 07 A2 91 30 22 88 B5 20 C1 87"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process exp2.tmp.exe:1080 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 AB 57 B1 32 AC CF 14 2B 3D 4A 96 5B 0D 45 95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process %original file name%.exe:1040 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 5C A5 FB 10 43 0F E1 D0 AA 81 20 CC B8 45 47"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://softsysdnl.ru/lEE/eCAAA/szpmMBAA/JFfkq/ (Malicious) |  212.7.219.46 |
| hxxp://updote-serv3.ru/lEE/eCAAA/szpmMBAA/JFfkq/ (Malicious) | 91.230.204.132 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Worm installs the following user-mode hooks in Secur32.dll:
InitializeSecurityContextA
DecryptMessage
SealMessage
InitializeSecurityContextW
DeleteSecurityContext
The Worm installs the following user-mode hooks in WS2_32.dll:
WSASend
recv
WSARecv
send
connect
closesocket
The Worm installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
KB01202533.exe:700
KB01202533.exe:1844
exp3.tmp.exe:1056
exp2.tmp.exe:1080
%original file name%.exe:1040 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Application Data\KB01202533.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exp4.tmp.bat (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\exp1.tmp.bat (189 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
