virus logo Virus

W32/Kryptik.E!tr

description-logoAnalysis

  • This malware has been recently sent around as an attachment to some SPAM mails disguised as a greeting card.


    • Technical details

  • It drops the following files:
    • undefinedSystemundefined\lowsec\local.ds
    • undefinedSystemundefined\lowsec\user.ds
    • undefinedSystemundefined\sdra64.exe
  • To automatically run during system startup, the malware applies the following registry modification:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      Userinit = "undefinedSystemDirundefined\userinit.exe,undefinedSystemDirundefined\sdra64.exe,"
  • The malware arrives as an attachment to a spammed mail using the following details:
    Subject: You have received an eCard
    Body:
    Good day.
    You have received an eCard
    To pick up your eCard, open attached file
    Your card will be aviailable for pick-up beginning for the next 30 days.
    Please be sure to view your eCard before the days are up!
    We hope you enjoy you eCard.
    Thank You!
    Attachment Filename: ecard.zip

    • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extreme
    FortiClient
    Extended
    FortiMail
    Extended
    FortiSandbox
    Extended
    FortiWeb
    Extended
    Web Application Firewall
    Extended
    FortiIsolator
    Extended
    FortiDeceptor
    Extended
    FortiEDR

    Version Updates

    Date Version Detail
    2023-08-15 91.06054
    2023-06-20 91.04375
    2022-05-25 90.02623
    2022-05-25 90.02622
    2022-05-03 90.01962
    2022-02-26 89.09994
    2022-02-08 89.09443
    2021-12-14 89.07763
    2021-12-07 89.07553
    2021-11-30 89.07356
    ID 950592
    Released Jul 22, 2009
    Description
    Updated    		 Jul 27, 2009
    Aliases Trojan-Spy.Win32.Zbot.zur, Trojan-Spy:W32/Zbot.OXC
    Platform Profile Win32 file format / PE 32 bit