1. /
  2. Security Response/
  3. W32.Cridex


Risk Level 1: Very Low

January 20, 2012
November 12, 2015 1:57:18 PM
Infection Length:
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
W32.Cridex is a threat that adds the compromised computer to a botnet and injects itself into the victim’s web browser in order to steal information, including banking credentials.

The malware typically arrives through emails with malicious attachments. The threat can self-replicate by spreading to removable devices.

Once the threat executes, it opens a back door on the computer. The malware downloads additional files and adds the computer to a botnet. It is capable of logging keystrokes and capturing screenshots. It can also inject content into banking sites that the user visits, allowing the threat to steal any sensitive information that the victim inputs.

The threat is mainly distributed through emails with malicious attachments. It can also self-replicate by copying itself to mapped and removable drives.

The email usually includes a Microsoft Office attachment with malicious macros. The body of the email usually contains social engineering in an attempt to trick the user into opening the file.

The message typically claims that the attachment is an invoice or shipment notice. If the user opens the document, then they are prompted to enable Office macros, which are disabled by default. If the user does this, then the macro will execute, downloading and installing W32.Cridex on the computer.

W32.Cridex is capable of propagating by itself. After infecting a computer, the threat can spread by copying itself to network drives and attached local storage devices, such as USB keys. The malware runs any time a compromised drive is accessed.

When the threat is executed, it registers the compromised computer with one of Cridex’s botnets. The threat then communicates and receives commands with the bot controller over a peer-to-peer (P2P) network of infected computers. The P2P functionality was designed to make the threat more resilient to takedowns, as there’s no single central command-and-control (C&C) server that distributes orders.

The commands that are sent to an infected computer may instruct the malware to perform a variety of activities. The threat can open a back door on the computer, giving the attackers greater access to resources. It can download additional files or modules to further extend its capabilities.

The malware can also perform a variety of information-stealing activities, such as logging keystrokes and capturing screenshots. It can also inject itself into browser processes to monitor communications and steal information, such as passwords, cookies, and web form content.

If the threat detects that the user is visiting a specific banking website, it injects malicious code into the browser to display fraudulent web pages. This content mimics the appearance of a banking site’s login page or transaction section, so any information that the user inputs is sent to the attackers.

Geographical distribution
Symantec has observed the following geographic distribution of this threat:

Symantec has observed the following global Cridex infection trends between January and October 2015:

Symantec protection
The following Symantec detections protect against this threat family.

Intrusion Prevention System
Email protection
Symantec Messaging Gateway’s Disarm technology also protects computers from this threat by removing the malicious content from the attached documents before they even reach the user. Email-filtering services such as Symantec Email Security.cloud can help to filter out potential targeted attack emails before they can reach users.

Antivirus Protection Dates

  • Initial Rapid Release version January 20, 2012 revision 017
  • Latest Rapid Release version May 27, 2015 revision 007
  • Initial Daily Certified version January 21, 2012 revision 009
  • Latest Daily Certified version May 27, 2015 revision 016
  • Initial Weekly Certified release date January 25, 2012
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Laura O'Brien

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report