Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kryptik.t


  • Please log in to reply
11 replies to this topic

#1 Ktze Hut

Ktze Hut

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 04 January 2014 - 11:57 AM

Hi,

 

Upon inserting one of my flash drives into my laptop, ESET NOD32 indicated it is infected with Kryptik.t. The file name itself is jave.vbs.

 

I searched ESET's database to learn what Kryptik.t is, and there were no details about, apart from it being a trojan.

http://www.virusradar.com/en/VBS_Kryptik.T/description

 

I wasn't able to learn anything regarding the file name.

 

Reading through ESET's database I learned there are numerous variants of Kryptik, some of them quite nasty.

 

I am currently working on cleaning up my machines (with assistance from the forum), but I would also like to understand what's the nature of the beast.

 

What is Kryptik? What is Kryptik.t? What differentiates it from other trojans? Does the file name have any significance? Can Kryptik morph itself into a file with a different name? What are reputable sources to learn about such malware?

 

Thanks!

Ktze



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:03 AM

Posted 04 January 2014 - 10:01 PM

Most likey a variant of:
ESET: Win32/Kryptik.BGIS
Sophos: Troj/Kryptik-T
AVG: Cryptic <- 1879 known variants


Alias: Zbot/Z-bot (Zeus) variant
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:05:03 PM

Posted 04 January 2014 - 11:42 PM

I have had system with facebook.vbs and cool.vbs to fix and spreads via Flash Drives while also hiding the users files on that Flash Drive and creating shortcuts with the now hidden files names

 

So sounds like  jave.vbs could be a Worm:VBS/Jenxcus  Worm.VBS.Dunihi  https://www.virustotal.com/en/file/036c791f4020db05bdd89be4d91f836f926b78cf87a3a7728fe22b78418ee17a/analysis/

 

 

Quads


Edited by Quads, 04 January 2014 - 11:43 PM.


#4 Ktze Hut

Ktze Hut
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 05 January 2014 - 01:02 AM

quietman7, Quads,

 

Thanks, I appreciate your quick and informative responses!

 

The behavior of my flash drives is as Quads described - hiding users files and creating shortcuts.

 

I've also located jave.vbs on one of my machines at: HKCU\Software\Microsoft\Windows\CurrentVersion\Run,

just as Microsoft describes here:

 

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VBS/Jenxcus#tab=2

 

All of my household's machines are potentially compromised, since the flash drives have been passed around, as well as numerous devices with flash memory.

 

I'm currently working on resolving this through the forum with Broni.

 

Ktze



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:03 AM

Posted 05 January 2014 - 08:26 AM

You're welcome on behalf of the Bleeping Computer community and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Ktze Hut

Ktze Hut
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 05 January 2014 - 08:52 AM

Hi,

 

I have some important follow-up questions, on how to manage and use the potentially infected computers and other devices while the clean-up process is taking place.

 

  • I regularly use an external hard disk (usb connection) with one of my computers. Is it potentially infected with Kryptik.t?

 

  • If I plug in the external hard disk and a flash drive to a potentially infected computer that is not connected to the internet, and transfer data between the flash drive and the hard disk, can Kryptik.t access this data? Can it upload this data once I reconnect to the internet? Where does it store data that it uploads?

 

  • How do i prevent the upload of data while cleanup is taking place? (apart from not connecting to the internet...)

Thanks!



#7 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:05:03 PM

Posted 05 January 2014 - 05:03 PM

Broni is doing the work on your system(s) and Drives.

 

The malware talked about in this thread does spread via connected drives,  I had one user before getting help, say that he connected more than one flash drive in testing and those Flash Drives got infected also.  (If I remember 5 of them).

 

I used these commands for each drive as part of the cleaning etc.

 

dir /a:-h /s /b "[drive letter]:\" /c

 

attrib -h -s "[drive letter]:\*" /s /d /c 

 

But it is up to the Malware helper on what they want to do and how, as it depends on a lot of factors,  Systems are not the same from one infected system to the next including what the user may have done.

 

Quads



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:03 AM

Posted 05 January 2014 - 05:46 PM

Yes, you should refrain from asking for help from other members or staff while you are being instructed by another staff member with a malware issue. Any modifications you make on your own can result in system changes which may not show in the log(s) you already posted. Further, following advice from others outside of that topic may cause confusion for the team member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

Broni can provide all that information when disinfection is complete.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Ktze Hut

Ktze Hut
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 05 January 2014 - 06:04 PM

Quads, quietman7,

 

I truly appreciate your replies, and I am very grateful for all the help being provided knowing it is all on an completely volunteer basis.

 

I'm asking these questions in order to learn as best as I can alongside the cleanup process.

 

I have several machines in my household which are potentially infected, apart from the one that I am currently working on with Broni. These machines continue to be used throughout the current cleanup process. My questions were intended to help me best contain and manage the other machines until we get to them.

 

Thanks,

Ktze



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:03 AM

Posted 05 January 2014 - 06:39 PM

I understand where you are coming from and the frustration at having to deal with malware issues on several machines. However, it's better to deal with one at a time as not all infections are entirely the same.

The longer malware remains on a computer, the more opportunity it has to download additional malicious files and/or install malicious browser extensions which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Ktze Hut

Ktze Hut
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 07 January 2014 - 12:29 PM

quietman7,

 

Work on my machine with Broni is finished and it is clean.

 

I've begun to trace where the jave.vbs file may have come from, and am helping and referring those people with potential infections to post on BC. So if you see an uptick in specific Kryptik.t posts, that's probably where it's coming from...

 

Ktze



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:03 AM

Posted 07 January 2014 - 01:02 PM

BC is the place to come for assistance with this sort of stuff.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users