VBS_KRYPTIK.A
VBS/Kryptik.N (ESET), UDS:DangerousObject.Multi.Generic (Kaspersky)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan may arrive bundled with malware packages as a malware component. It may be hosted on a website and run when a user accesses the said website.
It drops copies of itself in the Windows Common Startup folder to enable its automatic execution at every system startup.
It drops copies of itself in all removable drives.
It modifies the Internet Explorer Zone Settings.
It modifies certain registry entries to hide Hidden files.
TECHNICAL DETAILS
Arrival Details
This Trojan may arrive bundled with malware packages as a malware component.
It may be hosted on a website and run when a user accesses the said website.
Installation
This Trojan drops the following files:
- %Temp%\system32..exe
- %Temp%\system32..vb
(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)
It drops and executes the following files:
- %Temp%\mshta.exe
(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)
It drops the following copies of itself into the affected system:
- %Temp%\{Original File Name}
(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Original File Name} = "%Windows%\system32\wscript.exe /b "%Temp%\{Original File Name}""
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{Original File Name} = "%Windows%\system32\wscript.exe /b "%Temp%\{Original File Name}""
It drops copies of itself in the Windows Common Startup folder to enable its automatic execution at every system startup.
Propagation
This Trojan drops copies of itself in all removable drives.
Web Browser Home Page and Search Page Modification
This Trojan modifies the Internet Explorer Zone Settings.
Other Details
This Trojan connects to the following possibly malicious URL:
- http://games-google.{BLOCKED}nterstrike.com:155/?mew
- http://games-google.{BLOCKED}nterstrike.com:155/?uns
It modifies the following registry entries to hide Hidden files:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"
(Note: The default value data of the said registry entry is "1".)
NOTES:
This malware copies the file names in removable drives and creates shortcut files (.LNK) that point to a copy of itself. This is done to trick users into clicking the shortcut files and execute the malware copy. It also uses ! Videos.lnk as file name, with attributes of a directory.
Analysis shows that this malware can use different original file names. In our analysis, the file name used by this malware is SYSTEM.VBS.