Win32/Cridex [Threat Name] go to Threat

Win32/Cridex.AA [Threat Variant Name]

Category trojan,worm
Size 180224 B
Aliases Worm:Win32/Cridex.E (Microsoft)
  W32.Cridex (Symantec)
  PWS-Zbot.gen.ajn (McAfee)
Short description

Win32/Cridex.AA is a trojan that steals passwords and other sensitive information. The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­KB%number%.exe

The %number% represents a random number.

The trojan may create the following files:

  • %appdata%\­%variable%\­%variable%.srv

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "KB%number%.exe" = "%appdata%\­KB%number%.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­S%variable%]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­C%variable%]

A string with variable content is used instead of %variable% .

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects sensitive information when the user browses certain web sites.

The trojan collects the following information:

  • POP3 account information
  • FTP account information
  • digital certificates
  • cookies
  • list of files/folders on specific drive
  • login user names for certain applications/services
  • login passwords for certain applications/services

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (16) URLs. The HTTP protocol is used.

It can execute the following operations:

  • send the list of disk devices and their type to a remote computer
  • send the list of files on specific drive to a remote computer
  • send files to a remote computer
  • download files from a remote computer and/or the Internet
  • run executable files
  • delete cookies
  • monitor network traffic
  • modify network traffic
  • update itself to a newer version
  • send gathered information

The trojan creates and runs a new thread with its own program code in all running processes.

The trojan hooks the following Windows APIs:

  • LdrLoadDll (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • InitializeSecurityContextA (secur32.dll)
  • InitializeSecurityContextW (secur32.dll)
  • EncryptMessage (secur32.dll)
  • DecryptMessage (secur32.dll)
  • DeleteSecurityContext (secur32.dll)
  • connect (ws2_32.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)
  • recv (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • select (ws2_32.dll)
  • closesocket (ws2_32.dll)
  • getaddrinfo (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • PFXImportCertStore (crypt32.dll)
  • PR_Connect (nspr4.dll)
  • PR_Write (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Poll (nspr4.dll)
  • PR_Close (nspr4.dll)
  • SSL_ImportFD (ssl3.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.