Analysis by: Mark Joseph Manahan
ALIASES:

a variant of Win32/Kryptik.AHYH trojan (ESET); W32/Trojan3.DTZ (exact) (FPROT); W32/Kryptik.WDV!tr (Fortinet)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size: 169,472 bytes
File Type: EXE
Initial Samples Received Date: 06 Jul 2012

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %User Profile%\Application Data\KB{random number}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KB{random number} = "%User Profile%\Application Data\KB{random number}.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{9 Random letters or numbers 1}

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{9 Random letters or numbers 2}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\{9 Random letters or numbers 2}
@ = "{Hex Values}"

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.61.59/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.150.72/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.189.124/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.13.84/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.147.35/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.252.26/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.147.52/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.23.100/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.250.173/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.194.242/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.189.212/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.5.140/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.2.214/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.164.18/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.134.23/za/v_01_a/in
  • http://{BLOCKED}.{BLOCKED}.179.185/za/v_01_a/in

It deletes itself after execution.