Discussion in 'malware problems & news' started by Randy_Bell, Apr 1, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    WORM_KRYNOS.B is a destructive, memory-resident worm that propagates via peer-to-peer applications by dropping a .ZIP copy of itself in a certain folder. It may also spread via email by sending itself as an attachment. This worm has backdoor capabilities, allowing remote users to access and perform malicious tasks on affected machines. It can also prevent affected users from accessing certain antivirus and security Web sites by modifying the HOSTS file. WORM_KRYNOS.B is currently spreading in-the-wild, and infecting computers running Windows NT, 2000, and XP.

    Upon execution, this memory-resident worm drops the following files in the Windows folder:

    * %Windows%\Help\svchost.dat
    * %Windows%\Help\svchost.exe
    * %Windows%\Help\svchost.lce

    It then displays the following message:
    Can't open mfc73rp.dll

    It creates a registry entry that allows it to automatically execute the dropped file svchost.exe at every system startup.

    This worm propagates via P2P applications by making a .ZIP copy of itself in a specific folder -- the file name depends on the names of the currently saved files in that folder.

    The worm may also propagate by sending itself as an attachment to an email message. It searches files with the extensions HTM and TXT for target email addresses. However, it first queries to check for an Internet connection, before it sends the email.

    The email it sends contains the following details:


    To: (recipient email address harvested from affected system)

    Subject: Microsoft Security Update

    Message body:
    * "Vulnerability in Windows Explorer Could Allow Remote Code Execution (612827)"
    Affected Software:
    * Impact of Vulnerability: Remote Code Execution
    * Importance: High
    * Maximum Severity Rating: Critical
    * Recommendation: Customers should apply the attached update at the earliest opportunity
    * Summary:
    * Who should read this document: Customers who use Microsoft Windows
    * X-Mailer: Secure Microsoft Client, Build 2.1
    * X-MimeOLE: Produced By Secure Microsoft Client V2.1
    * X-MSMail-Priority: High
    * X-Priority: 1 (Highest)

    * ARC
    * ARJ
    * GZ
    * LZH
    * TGZ
    * ZIP
    * ZOO

    The worm avoids worm avoids sending email to addresses containing certain strings. View the complete list of strings.

    The following backdoor capabilities are enabled by the worm:

    Get, upload, download, or delete a file
    List files in a folder
    Disconnect current user
    Restart the system
    Run a program
    Create or delete a folder

    This worm also modifies the system's HOSTS, which contains the host name to IP address mappings. This modification prevents affected users from accessing specific sites related to antivirus companies.

    If you would like to scan your computer for WORM_KRYNOS.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:

    WORM_KRYNOS.B is detected and cleaned by Trend Micro pattern file #2.523.05 and above.
    Last edited: Apr 1, 2005
Thread Status:
Not open for further replies.