UPDATE: CYREN Continues to Analyze Significant Malware Attack
For the last 24 hours, CYREN’s Virus Outbreak Detection (VOD) has been monitoring a significant malware attack, with over 80% of all malware passing through the CYREN VOD system containing this Trojan virus with obfuscated Visual Basic macro code. As we delve more deeply into our analysis of the virus, we are learning more.
The downloaded executable file DCITXEKBIRG.EXE is a malicious Trojan/Downloader and is a variant of “Cridex” family. Cridex is a known family of botnets that can steal user’s personal information such as their banking user names and passwords, as well as their personal info from social networking websites. It does this by monitoring the user’s keystroke activities particularly on financial or banking websites and sends those data to the C&C server.
Once executed, it will drop a copy of itself to:
“%userprofile%/Local Settings/Application Data/edg4.exe”
It created the following registry keys:
HKLM\SOFTWARE\Microsoft\ESENT\Process\<filename>\DEBUG = “ Trace Level”
While running, the virus attempts to connect to its C&C server; once a connection has been established, it waits for further instructions from the server. The server usually sends the infected machine a configuration file containing further instructions such as downloading and installing other malicious files.
This particular variant tried to connect to IP address 184.108.40.206 where the C&C server is being hosted.
Additional details on this story can be found in our previous blog article: CYREN First To Detect Significant Malware Attack