Virus:TR/Kryptik.FU
Date discovered:01/09/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:98.304 Bytes
MD5 checksum:d2f7cb6da675a38bfa963c023a732b1f
IVDF version:7.10.11.70 - Thursday, September 2, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Yimfoca
   •  Kaspersky: IM-Worm.Win32.Yahos.ci
   •  Microsoft: Trojan:Win32/Ircbrute
   •  Panda: W32/MSNworm.JB.worm
   •  PCTools: Malware.Yimfoca
   •  VirusBuster: Trojan.Ircbrute.BLB
   •  Eset: IRC/SdBot.AVU
   •  Sunbelt: Trojan.Win32.Ircbrute
   •  AhnLab: Malware/Win32.Yimfoca
   •  DrWeb: BackDoor.Siggen.25869
   •  Fortinet: W32/SDBot.30ED!tr
   •  Ikarus: Trojan.Win32.Ircbrute
   •  Norman: W32/Ircbrute.AR


Platforms / OS:
   • Windows XP


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\jusched.exe
   • %WINDIR%\jusched.exg



It deletes the following file:
   • %WINDIR%\jusched.exg

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "c:\\%current directory%\\%executed file%
      "="%WINDIR%\jusched.exe:*:Enabled:Java developer Script Browse"

Description inserted by Christoph Baumann on Monday, September 6, 2010
Description updated by Christoph Baumann on Monday, September 6, 2010

Back . . . .