Kryptik.GY variant

MX Lab  intercepts a new variant of the trojan Kryptik.GY. The senders address, the subject are random and some parts of the content is based on the senders address as well.

Content of the message:

Hello, **********.

Febraly, Monday 16, 2009, 09:4:57 AM, you wrote: 

> Good afternoon

> Please send recommendations to improve the business in the face of crisis.
> Attach the plane that is business.

Hello

We are prepared, see the attached document. Check out the second line with our agreement.  

–  

Best regards,******.********      
 mailto:*****.*******@mail.ihs.gov

The email has the attachment Document.zip (but can be different or changing) and contains the file “Document.Doc__***__.exe” with many underscores in the file name.

This is a trojan that attempts to intercept network traffic in order to steal information. This trojan also encompasses rootkit functionality to hide itself. A file %Temp%\svchost.exe is being created, registry changes will be made so that the trojan will start every time the computer is booted with a svchost.exe service.

Virustotal permlink and MD5: ea31bd6b2d7d57120c63a19e2e187e13.