Worm_krynos.b (low Risk)

LJM Master

By LJM Master,
in Security Alerts

 Share Followers 0

Recommended Posts

LJM Master

LJM Master

Posted
Posted

WORM_KRYNOS.B is a destructive, memory-resident worm that propagates via peer-to-peer applications by dropping a .ZIP copy of itself in a certain folder. It may also spread via email by sending itself as an attachment. This worm has backdoor capabilities, allowing remote users to access and perform malicious tasks on affected machines. It can also prevent affected users from accessing certain antivirus and security Web sites by modifying the HOSTS file. WORM_KRYNOS.B is currently spreading in-the-wild, and infecting computers running Windows NT, 2000, and XP.

Upon execution, this memory-resident worm drops the following files in the Windows folder:

* %Windows%\Help\svchost.dat

* %Windows%\Help\svchost.exe

* %Windows%\Help\svchost.lce

It then displays the following message:

Can't open mfc73rp.dll

It creates a registry entry that allows it to automatically execute the dropped file svchost.exe at every system startup.

This worm propagates via P2P applications by making a .ZIP copy of itself in a specific folder -- the file name depends on the names of the currently saved files in that folder.

The worm may also propagate by sending itself as an attachment to an email message. It searches files with the extensions HTM and TXT for target email addresses. However, it first queries www.google.com to check for an Internet connection, before it sends the email.

The email it sends contains the following details:

From: [email protected]

To: (recipient email address harvested from affected system)

Subject: Microsoft Security Update

Message body:

* "Vulnerability in Windows Explorer Could Allow Remote Code Execution (612827)"

Affected Software:

* Impact of Vulnerability: Remote Code Execution

* Importance: High

* Maximum Severity Rating: Critical

* Recommendation: Customers should apply the attached update at the earliest opportunity

* Summary:

* Who should read this document: Customers who use Microsoft Windows

* X-Mailer: Secure Microsoft Client, Build 2.1

* X-MimeOLE: Produced By Secure Microsoft Client V2.1

* X-MSMail-Priority: High

* X-Priority: 1 (Highest)

Attachment:

* ARC

* ARJ

* GZ

* LZH

* TGZ

* ZIP

* ZOO

The worm avoids worm avoids sending email to addresses containing certain strings. View the complete list of strings.

The following backdoor capabilities are enabled by the worm:

Get, upload, download, or delete a file

List files in a folder

Disconnect current user

Restart the system

Run a program

Create or delete a folder

This worm also modifies the system's HOSTS, which contains the host name to IP address mappings. This modification prevents affected users from accessing specific sites related to antivirus companies.

If you would like to scan your computer for WORM_KRYNOS.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_KRYNOS.B is detected and cleaned by Trend Micro pattern file #2.523.05 and above.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 0
Go to topic listing