BKDR_KIRPICH
Gyplit, Afcore, Regsubdat
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Dropped by other malware, Downloaded from the Internet
KIRPICH is a family of backdoors which arrives via exploited documents. It is also known as RegSubDat botnet. Its name is probably from its code being stored in an encrypted .DAT file. This design is to avoid detection for both the binary component (decrypter) and the .DAT file (encrypted code).
Once executed, KIRPICH downloads other malware such as ransomware, scareware, and clickware. Thus, it compromises the security of infected systems.
TECHNICAL DETAILS
Yes
Drops files, Downloads files
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Profile%\Application Data\Microsoft\ Messenger\SpeechEngines\xpmsgr.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Profile%\Application Data\Microsoft\Messenger\Plugin\msgslang.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%User Profile%\Application Data\ Adobe\Plugins\AcroRd32Info.exe"