1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W64.Cridex Activity

System Infected: W64.Cridex Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects W64.Cridex malware activity on the infected machine.

Additional Information

The Trojan may arrive on the compromised computer after being downloaded by other threats.

When the Trojan is executed, it creates the following registry entry as binary data:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\[GUID]\ShellFolder\[NUMBER]=[ENCRYPTED BINARY DATA]

The Trojan opens a back door on on the compromised computer, and connects to one of the following locations:

The Trojan may send and receive data (including configuration files) to and from the previously mentioned locations.

The Trojan may perform the following actions:
Take screenshots
Steal information entered in forms
Inject code into websites visited on the compromised computer
Download other module components
Log keystrokes

The Trojan targets the following browsers:
Internet Explorer


  • Various Windows platforms.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube