W32/Kryptik.BWOY!tr

Analysis

W32/Kryptik.BWOY!tr is a generic detection for a type of trojan. Since this is a generic detection, malware that are detected as W32/Kryptik.BWOY!tr may have varying behavior.
Below are examples of some of these behaviors:

• Upon execution, the malware displays the following message box:
  

  Figure 1: Fake error message.



• It drops the following files:
  
  • undefinedAppDataundefined\[RandomFilename].exe: This file is detected also as W32/Kryptik.BWOY!tr.


• The following registry modifications are applied:
  
  • HKEY_CURRENT_USER\Software\[RandomRegistryValue_1]
    
    • [RandomRegistryValue_2] = [HexValues]
  
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    
    • [RandomRegistryValue_2] = ""undefinedAppDataundefined\[RandomFilename].exe""
    This automatically executes the dropped file every time the infected user logs on.


• It injects codes into the explorer.exe  process.


• The malware connects to the site 23.9{Removed}26 via http, during the time of the test the site appears to be offline.


• The malware uses the Microsoft Word icon.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.