Win32/Kryptik.VO

7 July 2009 Trojan 12 Comments

Win32/Kryptik.VO is detection for a Trojan that will self-replicate and spreads over a computer network. It targets Windows platform. Win32/Kryptik.VO is able to hide its presence on the infected PC by embedding its own code on legitimate system files. Additional malicious files will be downloaded from a remote computer. The Trojan will not allow any legitimate antivirus programs to interfere with its harmful activities so their process is disabled. Win32/Kryptik.VO has this re-spawning mechanism that able to bring back its own deleted files.

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics
Once Win32/Kryptik.VO is executed, it will rename certain files under system folder of Windows. It allows automatic start-up by adding own value on Windows registry. The Trojan will search for running processes that are related to anti-virus or firewall application and ends immediately when found.

Additional effect of this Trojan is to communicate to a remote computer and perform other activities such as the following:

• Update the existing configuration file.
• Download more malware and execute on the compromised PC.
• Allow remote attacker to access the infected computer via backdoor port.
• Block access to legitimate security web sites and prevent updates on locally installed software.

Distribution
Although Trojans are spreading in a number of methods, Win32/Kryptik.VO will propagate in a selected process only. It will pose as installation file for popular programs like games, photo editing, or multimedia. These harmful files are using unsecured file-sharing server to reach computer users and employs a tricky file name to lure victims into file execution.

Symptoms 
- Computer will experience a reduced in performance so as system crashes.
- Various pop-up advertisements will overflow on screen.
- The Trojan will redirect Internet traffic that will lead to additional virus infection.
- Security settings are set to minimum that gives Trojan free access to all files and folders.

Automatic Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To identify even the most recent variant of Win32/Kryptik.VO, open your antivirus application and update the virus definitions.

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Select Safe Mode with Networking.
- System will boot Windows loading only necessary drivers and system files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete please proceed with the next step.

Scan with Stinger

Stinger is a portable security tool that can detect and remove particular viruses. It utilizes a highly developed scan engine technology that includes process scanning and scan function optimization.

5. Go to Stinger and download Norton Power Eraser. Save it to your desktop.
6. Once the download completes, double click on the file to run the program.
7. The Stinger main program will open.
8. Default directory to scan is the system drive (C:\). You may add additional drives to scan by clicking on Add button.
9. Click on Scan Now button to begin scanning assigned drives.
10. Stinger will now scan and repair/delete all infected files.
11. When done, you may now close McAfee Stinger and restart Windows in normal mode.