- This malware arrives as an email attachment and has a PDF file icon.
- Once executed, it attempts to connect to the following sites:
- It also attempts to download files from the following URLs:
- The malware creates a subfolder using a randomized name under the user's profile folder. The downloaded file is saved in this newly created folder using a randomized name. As of this writing, the file that was downloaded can be detected as W32/Kryptik.6F77!tr.
- It adds the following registry entry to automatically execute the downloaded file every time the infected user logs on:
- [Random Class ID] = ""undefinedUserProfileundefined\[RandomFolderName]\[RandomName].exe""/li>
- It also adds the following registry entry:
- HWID = [Random Hexadecimal Bytes]
- The malware performs a dictionary attack on several known FTP clients, file managers, mail clients, and browsers in attempt to access possibly confidential information.
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.