MSIL/Kryptik.MVB!tr

Analysis

MSIL/Kryptik.MVB!tr is a generic detection for a downlaoder Trojan. Since this is a generic detection, this malware may have varying behaviour.
Some of the MSIL/Kryptik.MVB!tr samples link to the Fareit (aka Pony) malware.
Below are some of the observed characteristics/behaviours:

• This malware has been observed to attempt connection to:
• http://juanjoserif{Removed}.com
• http://sariraatjga{Removed}.com


• Once connected, the malware may attempt to downlaod the following files:
• http://juanjoserif{Removed}.com/cgi-sys/suspendedpage.cgi
• http://juanjoserif{Removed}.com/pc/Doc.049173001517294468.jar
• http://sariraatjga{Removed}.com/dew/fre.php


• This malware may drop one or more of the following files:
• %Temp%\Name of the melted file.exe : a copy of the original file
• %AppData%\Microsoft\Windows\Start Menu\Programs\[RandomName_1].exe : a copy of the original file
• %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\[RandomName_1].[RandomName_2].lnk : a link file that directs to the previous dropped file and runs it on every start up


• This malware may delete the original copy after execution


• This trojan may be a Keylogger.


• This trojan may excercise Anti-Virtual Machine techniques .

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.