Worm.Win32.Cridex

Detect Date 06/03/2016
Class Worm
Platform Win32
Description

Originally, Worm.Win32.Cridex was a worm that spread through removable disks. The worm evolved over the years to become full-featured banking malware.

Later versions of the malware are able to perform the following actions:
• Web injects
• Screenshots and clickshots (pictures of web pages when the user clicks the mouse)
• Blocks access to certain Internet sites
• Redirecting the user from one URL to another

Worm.Win32.Cridex carefully hides its command-and-control server by using a P2P network and proxy server.

Communication with the command-and-control server uses symmetric encryption, plus additional XOR encryption for the configuration file received from the command-and-control server.

Geographical distribution of attacks by the Worm.Win32.Cridex family


Geographical distribution of attacks during the period from 03 June 2015 to 03 June 2016

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Poland 19.93
2 Germany 10.13
3 Azerbaijan 7.84
4 Russian Federation 7.19
5 France 5.23
6 India 4.90
7 United Kingdom 4.90
8 Iran 3.92
9 Malaysia 3.27
10 China 2.94

* Percentage among all unique Kaspersky users worldwide attacked by this malware