W32.Cridex
This report is about a harmful worm called W32.Cridex. Once it enters your computer, it will perform task in the background that will further harm the system. It is advice to remote the worm using the guide on this page.
W32.Cridex is a computer worm that propagates by dropping a copy of itself to network drives as well as removable media devices like external hard drive and USB flash drive. This worm also opens a backdoor to download and execute malicious codes on to victim’s computer.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista, Windows 7
Characteristics
Once activated, W32.Cridex will make a copy of itself on the following location:
%UserProfile%\Application Data\[Random Characters].exe
The worm then adds additional files on various locations. These following files are very essential to the worm while occupying the computer:
- %UserProfile%\Application Data\[Random Numeric Characters]\[ Random Numeric Characters].DAT.DAT
- %UserProfile%\Application Data\[ Random Numeric Characters]\[ Random Numeric Characters].DAT
- %Temp%\POS[Random Numeric Characters].BAT
- %System%\drivers\[ Random Numeric Characters].sys
To have a spot on Windows start-up, this worm will add the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”[ Random Characters].exe”
= “%UserProfile%\Application Data\[ Random Characters].exe”
W32.Cridex will open a backdoor or passageway for an author to organize succeeding attacks and completes the following proceedings:
- Upload files from the infected computer to a specified server
- Download files from a remote server and execute onto compromised system
- Track Internet and network traffics
Distribution
This worm usually arrives on the system in several methods. W32.Cridex can be obtained from malicious web sites, spam email campaign and instant messenger applications.
Locally, it will spread by copying itself to network drives and removable devices as the following file:
%DriveLetter%\[ Random Characters]\[ Random Characters].exe
Next, to execute the above file when the infected drive is accessed, the worm will take advantage of default Windows settings on Autorun features by adding the following file:
%DriveLetter%\autorun.inf
How to Remove W32.Cridex
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Cridex, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.
5. Go to this link and download Norton Power Eraser.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.
10. Now click on Fix to start removing the threats including W32.Cridex remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.
Alternative Removal Method for W32.Cridex
Option 1 : Use Windows System Restore to return Windows to previous state
If W32.Cridex enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Cridex infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.