Jump to content
Sign in to follow this  
Metallica

Removal instructions for Trojan.Agent Kryptik

Recommended Posts

What is Trojan.Agent Kryptik?

 

The Malwarebytes research team has determined that Trojan.Agent Kryptik is a Trojan Clicker. Typically these are used to perform online actions in order to boost hit-counts.

 

How do I know if I am infected with Trojan.Agent Kryptik?

 

There are hardly any visible signs unless you are actively looking. You may experience a slower then normal computer. Once you start looking what's wrong you may spot some oddly named folders in your %ApplicationData% folder. (The full path to this folder is usually C:\Documents and Settings\{username}\Local Settings\Application Data

malware_folders.png

 

The names of the folders are a mix of the following components:

First part list:

Game,Tool,Utility,Sysutil,Browser,Navigator,Modulator,Receiver,Calculator,Validator,UI,Provider,Teller,Narrator,Supporter,Volunteer,Vinyl,Polyester,Cotton,Whisky

Second part list:

Visual,Optional,Jawa,Software,Assistant,Model,Gravity,Higgs,Medium,Noteworthy,Pale,Infinity,Voice,Sync,Joint,Mobile,Wireless,Radio,Humble,Beerware

 

I highlighted the examples we found to demonstrate how this turned out in the screenshot above.

 

If you run HijackThis, OTL or something similar you will find a corresponding Startup key.

 

O4 - HKCU\..\Run: [VolunteerJoint] C:\Windows\System32\rundll32.exe "C:\Documents and Settings\{username}\Local Settings\Application Data\VolunteerJoint.dll",DllRegisterServer
Using Process Explorer or a similar tool that enables you to look at the properties of a running process you can look at rundll32.exe and see the dll it has loaded.

malware_process.png

How did Trojan.Agent Kryptik get on my computer?

Trojans use many ways to infect your computer. This particular one was spread by using Silverlight and Adobe Flash exploits following this flowchart:

Silverlight_and_Flash.png

A full analysis of the exploit can be found on our blog

How do I remove Trojan.Agent Kryptik?

  • Find the running process as shown earlier, make note of the path to the dll and kill the process.
  • Find the folder(s) that belong to the Trojan infection. Look at the naming convention earlier, but leave them alone if you are unsure. The following scan will get the important components.
  • Remove the Run key. Preferably using the tool that showed it or directly from the registry.
    • Please download Malwarebytes Anti-Malware to your desktop.
    • Double-click mbam-setup-version.exe and follow the prompts to install the program.
    • At the end, be sure a check-mark is placed next to the following:
      • Enable free trial of Malwarebytes Anti-Malware Premium
      • Launch Malwarebytes Anti-Malware
    • Then click Finish.
    • If an update is found, you will be prompted to download and install the latest version.
    • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
    • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
    • Reboot your computer if prompted.
How would the full version of Malwarebytes Anti-Malware help protect me?

 

We hope our application and this guide have helped you eradicate this hijacker.  

 

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Name of the rogue hijacker.  It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

 

 

protection1.png

Technical details for experts

You can find all the details about the exploit in this blogpost

Malwarebytes Anti-Malware log:

 

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 9/12/2014Scan Time: 12:33:48 PMLogfile: unknownEK.txtAdministrator: YesVersion: 2.00.2.1012Malware Database: v2014.09.12.06Rootkit Database: v2014.09.12.01License: TrialMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows XP Service Pack 3CPU: x86File System: NTFSUser: AdministratorScan Type: Threat ScanResult: CompletedObjects Scanned: 271773Time Elapsed: 2 min, 7 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 1Trojan.Agent, C:\Documents and Settings\Administrator\Local Settings\Application Data\VolunteerJoint\VolunteerJoint.dll, , [cbfbea02bac1b383f7561ba46899f20e], Registry Keys: 0(No malicious items detected)Registry Values: 1Trojan.Agent, HKCU-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|VolunteerJoint, C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\VolunteerJoint\VolunteerJoint.dll",DllRegisterServer, , [cbfbea02bac1b383f7561ba46899f20e]Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 1Trojan.Agent, C:\Documents and Settings\Administrator\Local Settings\Application Data\VolunteerJoint\VolunteerJoint.dll, , [cbfbea02bac1b383f7561ba46899f20e], Physical Sectors: 0(No malicious items detected)(end)
 

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.