Kryptik.GY variant

February 20, 2009 Leave a Comment

MX Lab  intercepts a new variant of the trojan Kryptik.GY. The senders address, the subject are random and some parts of the content is based on the senders address as well.

Content of the message:

Hello, **********.

Febraly, Monday 16, 2009, 09:4:57 AM, you wrote: 

> Good afternoon

> Please send recommendations to improve the business in the face of crisis.
> Attach the plane that is business.

Hello

We are prepared, see the attached document. Check out the second line with our agreement.  

–  

Best regards,******.********      
 mailto:*****.*******@mail.ihs.gov

The email has the attachment Document.zip (but can be different or changing) and contains the file “Document.Doc__***__.exe” with many underscores in the file name.

This is a trojan that attempts to intercept network traffic in order to steal information. This trojan also encompasses rootkit functionality to hide itself. A file %Temp%\svchost.exe is being created, registry changes will be made so that the trojan will start every time the computer is booted with a svchost.exe service.

Virustotal permlink and MD5: ea31bd6b2d7d57120c63a19e2e187e13.

Filed under Viruses Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 109 other followers