- Threat Encyclopedia
- Malware
- TROJ_KRYPTIK
Windows 2000, Windows XP, Windows Server 2003
This description is based is a compiled analysis of several variants of TROJ_KRYPTIK. Note that specific data such as file names and registry values may vary for each variant.
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives as a file that exports the functions of other malware/grayware. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages.
Varies
PE
Yes
Arrival Details
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It arrives as a file that exports the functions of other malware/grayware.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It arrives as a component bundled with malware/grayware packages.
Installation
This Trojan drops the following copies of itself into the affected system:
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random name} = "{malware path}\{malware file name}"
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}.exe:*:Enabled:ldrsoft"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
CheckExeSignatures = "no"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableTaskMgr = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Attachments
SaveZoneInformation = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"
Rogue Antivirus Routine
This Trojan displays the following fake alerts:
NOTES:
This description is based is a compiled analysis of several variants of TROJ_KRYPTIK. Note that specific data such as file names and registry values may vary for each variant.
9.200
Trend customers:
Keep your pattern and scan engine files updated. Trend Micro antivirus software can clean or remove most types of computer threats. Malware, though, such as Trojans, scripts, overwriting viruses and joke programs which are identified as uncleanable, should simply be deleted.
All Internet users: