Kryptik.A_169 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.
Process Related Changes
It creates the following mutex(es):
- .net clr networking"
- c:!documents and settings!admin!local settings!history!history.ie5!"
- CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
- CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- c:!documents and settings!admin!cookies!"
It creates the following process(es): - C:\WINDOWS\Temp\dec41e83fff479b594351372e336f969.exe [ \c:\windows\temp\dec41e83fff479b594351372e336f969.exe ]
- C:\WINDOWS\Temp\dec41e83fff479b594351372e336f969.exe [ \c:\windows\temp\dec41e83fff479b594351372e336f969.exe ]
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
It injects malicious code into the following process(es): - "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
Network Activity
We observed the following DNS query/queries: - smtp.yandex.com
- whatismyipaddress.com
Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot: - HKLM\system\CurrentControlSet\Services\eventlog\application\esent\= C:\WINDOWS\system32\ESENT.dll
- HKLM\system\CurrentControlSet\Services\eventlog\application\esent\= _Special_Characters_
- HKLM\system\CurrentControlSet\Services\tcpip\parameters\= _Special_Characters_
- HKLM\system\CurrentControlSet\Services\tcpip\parameters\= C:\WINDOWS\system32\ESENT.dll
|
