Threat Encyclopedia

W32/Kryptik.E!tr

description-logoAnalysis

  • This malware has been recently sent around as an attachment to some SPAM mails disguised as a greeting card.


  • Technical details

  • It drops the following files:
    • undefinedSystemundefined\lowsec\local.ds
    • undefinedSystemundefined\lowsec\user.ds
    • undefinedSystemundefined\sdra64.exe
  • To automatically run during system startup, the malware applies the following registry modification:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      Userinit = "undefinedSystemDirundefined\userinit.exe,undefinedSystemDirundefined\sdra64.exe,"
  • The malware arrives as an attachment to a spammed mail using the following details:
    Subject: You have received an eCard
    Body:
    Good day.
    You have received an eCard
    To pick up your eCard, open attached file
    Your card will be aviailable for pick-up beginning for the next 30 days.
    Please be sure to view your eCard before the days are up!
    We hope you enjoy you eCard.
    Thank You!
    Attachment Filename: ecard.zip

  • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry