TrendMicro: WORM_KRYNOS.B

WORM_KRYNOS.B is a destructive, memory-resident worm that propagates via peer-to-peer applications by dropping a .ZIP copy of itself in a certain folder. It may also spread via email by sending itself as an attachment. This worm has backdoor capabilities, allowing remote users to access and perform malicious tasks on affected machines. It can also prevent affected users from accessing certain antivirus and security Web sites by modifying the HOSTS file. WORM_KRYNOS.B is currently spreading in-the-wild, and infecting computers running Windows NT, 2000, and XP.

Upon execution, this memory-resident worm drops the following files in the Windows folder:

* %Windows%\Help\svchost.dat
* %Windows%\Help\svchost.exe
* %Windows%\Help\svchost.lce

It then displays the following message:
Can't open mfc73rp.dll

It creates a registry entry that allows it to automatically execute the dropped file svchost.exe at every system startup.

This worm propagates via P2P applications by making a .ZIP copy of itself in a specific folder -- the file name depends on the names of the currently saved files in that folder.

The worm may also propagate by sending itself as an attachment to an email message. It searches files with the extensions HTM and TXT for target email addresses. However, it first queries www.google.com to check for an Internet connection, before it sends the email.

The email it sends contains the following details:

From: security@microsoft.com

To: (recipient email address harvested from affected system)

Subject: Microsoft Security Update

Message body:
* "Vulnerability in Windows Explorer Could Allow Remote Code Execution (612827)"
Affected Software:
* Impact of Vulnerability: Remote Code Execution
* Importance: High
* Maximum Severity Rating: Critical
* Recommendation: Customers should apply the attached update at the earliest opportunity
* Summary:
* Who should read this document: Customers who use Microsoft Windows
* X-Mailer: Secure Microsoft Client, Build 2.1
* X-MimeOLE: Produced By Secure Microsoft Client V2.1
* X-MSMail-Priority: High
* X-Priority: 1 (Highest)

Attachment:
* ARC
* ARJ
* GZ
* LZH
* TGZ
* ZIP
* ZOO

The worm avoids worm avoids sending email to addresses containing certain strings. View the complete list of strings.

The following backdoor capabilities are enabled by the worm:

Get, upload, download, or delete a file
List files in a folder
Disconnect current user
Restart the system
Run a program
Create or delete a folder

This worm also modifies the system's HOSTS, which contains the host name to IP address mappings. This modification prevents affected users from accessing specific sites related to antivirus companies.

If you would like to scan your computer for WORM_KRYNOS.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_KRYNOS.B is detected and cleaned by Trend Micro pattern file #2.523.05 and above.