VBS_KRYPTIK.A

 Analysis by: Jennifer Gumban

 ALIASES:

VBS/Kryptik.N (ESET), UDS:DangerousObject.Multi.Generic (Kaspersky)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Trojan may arrive bundled with malware packages as a malware component. It may be hosted on a website and run when a user accesses the said website.

It drops copies of itself in the Windows Common Startup folder to enable its automatic execution at every system startup.

It drops copies of itself in all removable drives.

It modifies the Internet Explorer Zone Settings.

It modifies certain registry entries to hide Hidden files.

  TECHNICAL DETAILS

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It may be hosted on a website and run when a user accesses the said website.

Installation

This Trojan drops the following files:

  • %Temp%\system32..exe
  • %Temp%\system32..vb

(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)

It drops and executes the following files:

  • %Temp%\mshta.exe

(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)

It drops the following copies of itself into the affected system:

  • %Temp%\{Original File Name}

(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Original File Name} = "%Windows%\system32\wscript.exe /b "%Temp%\{Original File Name}""

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{Original File Name} = "%Windows%\system32\wscript.exe /b "%Temp%\{Original File Name}""

It drops copies of itself in the Windows Common Startup folder to enable its automatic execution at every system startup.

Propagation

This Trojan drops copies of itself in all removable drives.

Web Browser Home Page and Search Page Modification

This Trojan modifies the Internet Explorer Zone Settings.

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://games-google.{BLOCKED}nterstrike.com:155/?mew
  • http://games-google.{BLOCKED}nterstrike.com:155/?uns

It modifies the following registry entries to hide Hidden files:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"

(Note: The default value data of the said registry entry is "1".)

NOTES:

This malware copies the file names in removable drives and creates shortcut files (.LNK) that point to a copy of itself. This is done to trick users into clicking the shortcut files and execute the malware copy. It also uses ! Videos.lnk as file name, with attributes of a directory.

Analysis shows that this malware can use different original file names. In our analysis, the file name used by this malware is SYSTEM.VBS.