Page 1 of 15

WinNT/Cridex (alias Dridex, Drixed)

PostPosted:Wed Dec 21, 2011 12:03 pm
by sugar
hello, i'm looking for acdd4c2a377933d89139b5ee6eefc464

Re: Malware Requests

PostPosted:Thu Dec 22, 2011 7:26 am
by EP_X0FF
sugar wrote:hello, i'm looking for acdd4c2a377933d89139b5ee6eefc464
This is Cridex.

Worm:Win32/Cridex.B

PostPosted:Tue Jan 03, 2012 9:16 am
by rkhunter
http://www.microsoft.com/security/porta ... 2147649733

Cridex

VT (22/43 >> 51.2%)

Seems this is Cridex too, but it detected as not Cridex by all (ZBot, VirTool)...look VT link (probably this is muldrop)

VT (22/43) >> 51.2%)

Re: Worm:Win32/Cridex.B

PostPosted:Tue Jan 03, 2012 10:05 am
by EP_X0FF
rkhunter wrote:Seems this is Cridex too, but it detected as not Cridex by all (ZBot, VirTool)...look VT link (probably this is muldrop)
Yes it is Cridex.B too (http://www.virustotal.com/file-scan/rep ... 1325584240)

VirTool:Win32/VBInject because of crypter that has VB origin, with CreateProcess(CREATE_SUSPENDED)/NtWriteVirtualMemory/NtSetContextThread/NtResumeThread.

Re: Worm:Win32/Cridex.B

PostPosted:Thu Jan 05, 2012 3:14 am
by rkhunter
Two more Cridex droppers.

VT (3/43 >> 7.0%)

VT (26/43 >> 60.5%)
Under VBCrypt/VBInject.

Re: Worm:Win32/Cridex.B

PostPosted:Sat Jan 14, 2012 4:45 am
by rkhunter
Observed as BH payload

MD5: e3fa551432bb0ac6fdcbb992e3332cd3

9/43

Drops to %appdata%\KB00725031.exe

Re: Worm:Win32/Cridex.B

PostPosted:Fri Jan 20, 2012 12:25 pm
by dcmorton
MS article about Cridex.B being spread through fake traffic ticket notification emails

http://blogs.technet.com/b/mmpc/archive ... lware.aspx

Re: Worm:Win32/Cridex.B

PostPosted:Fri Jan 20, 2012 2:14 pm
by rkhunter
Cridex.B

MD5: 98d4503ad44ade815830019ce44caad2
23/43

Re: Worm:Win32/Cridex.B

PostPosted:Sat Jan 21, 2012 5:27 am
by rkhunter
MD5: 29ff4c6c301a412d0b6ce8f1b44a4983
5/43

Re: Worm:Win32/Cridex.B

PostPosted:Sat Jan 21, 2012 5:30 am
by rkhunter
MD5: 1fa2fe2e25ddb2365ac942be5e734681
8/43