Threat Database Trojans W32/Kryptik.AX!tr


By Domesticus in Trojans

W32/Kryptik.AX!tr is an FTP Trojan that comes bundled with UPX and, when unpacked, it has its own mechanisms in place to prevent emulation. W32/Kryptik.AX!tr collects details of a corrupted host's FTP servers. W32/Kryptik.AX!tr watches for many well-known FTP applications that incorporate 'Ghisler's Windows and Total Commander', 'Far FTP', 'GlobalSCAPE CuteFTP', 'WS_FTP' and 'FlashFXP'. W32/Kryptik.AX!tr queries the Windows Registry for the path of either an .ini or .dat file. W32/Kryptik.AX!tr can also query for the actual host, username and password associated with the particular FTP client program via registry subkeys. Also, if possible, W32/Kryptik.AX!tr also checks the ShSpecialFolder for the occurrence of identified FTP client directories and then manually looks for both the .ini and .dat files. For CuteFTP, W32/Kryptik.AX!tr queries the Windows Registry, and aside from querying the Windows Registry, W32/Kryptik.AX!tr also parses particular folders. W32/Kryptik.AX!tr is able to update itself and drop new versions. W32/Kryptik.AX!tr strives to contact particular domains to drop updates.

Registry Details

W32/Kryptik.AX!tr may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {Some ID} \"\"%CurrentUser%\[RandomFolderName]\[RandomName].exe\"\"


Most Viewed