No replies to this topic

[Metallica]

Content is republished with permission from Malwarebytes.

What is Trojan.Agent Kryptik?
 
The Malwarebytes research team has determined that Trojan.Agent Kryptik is a Trojan Clicker. Typically these are used to perform online actions in order to boost hit-counts.
 
How do I know if I am infected with Trojan.Agent Kryptik?
 
There are hardly any visible signs unless you are actively looking. You may experience a slower then normal computer. Once you start looking what's wrong you may spot some oddly named folders in your %ApplicationData% folder. (The full path to this folder is usually C:\Documents and Settings\{username}\Local Settings\Application Data

 
The names of the folders are a mix of the following components:

First part list:
Game,Tool,Utility,Sysutil,Browser,Navigator,Modulator,Receiver,Calculator,Validator,UI,Provider,Teller,Narrator,Supporter,Volunteer,Vinyl,Polyester,Cotton,Whisky

Second part list:
Visual,Optional,Jawa,Software,Assistant,Model,Gravity,Higgs,Medium,Noteworthy,Pale,Infinity,Voice,Sync,Joint,Mobile,Wireless,Radio,Humble,Beerware
 
I highlighted the examples we found to demonstrate how this turned out in the screenshot above.
 
If you run HijackThis, OTL or something similar you will find a corresponding Startup key.
 

O4 - HKCU\..\Run: [VolunteerJoint] C:\Windows\System32\rundll32.exe "C:\Documents and Settings\{username}\Local Settings\Application Data\VolunteerJoint.dll",DllRegisterServer

Using Process Explorer or a similar tool that enables you to look at the properties of a running process you can look at rundll32.exe and see the dll it has loaded.


How did Trojan.Agent Kryptik get on my computer?
Trojans use many ways to infect your computer. This particular one was spread by using Silverlight and Adobe Flash exploits following this flowchart:

A full analysis of the exploit can be found on our blog

How do I remove Trojan.Agent Kryptik?

• Find the running process as shown earlier, make note of the path to the dll and kill the process.
• Find the folder(s) that belong to the Trojan infection. Look at the naming convention earlier, but leave them alone if you are unsure. The following scan will get the important components.
• Remove the Run key. Preferably using the tool that showed it or directly from the registry.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.

How would the full version of Malwarebytes Anti-Malware help protect me?
 
We hope our application and this guide have helped you eradicate this hijacker.  
 
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Name of the rogue hijacker.  It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
 

 

Technical details for experts

You can find all the details about the exploit in this blogpost

Malwarebytes Anti-Malware log:
 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/12/2014
Scan Time: 12:33:48 PM
Logfile: unknownEK.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.12.06
Rootkit Database: v2014.09.12.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 271773
Time Elapsed: 2 min, 7 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 1
Trojan.Agent, C:\Documents and Settings\Administrator\Local Settings\Application Data\VolunteerJoint\VolunteerJoint.dll, , [cbfbea02bac1b383f7561ba46899f20e], 

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Agent, HKCU-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|VolunteerJoint, C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\VolunteerJoint\VolunteerJoint.dll",DllRegisterServer, , [cbfbea02bac1b383f7561ba46899f20e]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Agent, C:\Documents and Settings\Administrator\Local Settings\Application Data\VolunteerJoint\VolunteerJoint.dll, , [cbfbea02bac1b383f7561ba46899f20e], 

Physical Sectors: 0
(No malicious items detected)


(end)

 
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
• Malware Execution Prevention

Save yourself the hassle and get protected.