TROJ_KRYPTIK.MGC

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Dropping Routine

This Trojan drops the following files:

• %User Temp%\~!#1.tmp
• %User Temp%\~!#2.tmp
• %User Temp%\~!#3.tmp
• %User Temp%\~!#4.tmp
• %User Temp%\~!#5.tmp
• %User Temp%\~!#6.tmp
• %User Temp%\~!#7.tmp
• %User Temp%\~!#8.tmp
• %User Temp%\~!#9.tmp
• %User Temp%\~!#A.tmp
• %User Temp%\~!#B.tmp
• %User Temp%\~!#C.tmp
• %User Temp%\~!#D.tmp
• %User Temp%\~!#E.tmp
• %User Temp%\~!#F.tmp
• %User Temp%\~!#10.tmp
• %User Temp%\~!#11.tmp
• %User Temp%\~!#12.tmp
• %User Temp%\~!#13.tmp
• %User Temp%\~!#14.tmp
• %User Temp%\~!#15.tmp
• %User Temp%\~!#16.tmp
• %User Temp%\~!#17.tmp
• %User Temp%\~!#18.tmp
• %User Temp%\~!#19.tmp
• %User Temp%\~!#1A.tmp
• %User Temp%\~!#1B.tmp
• %User Temp%\~!#1C.tmp
• %User Temp%\~!#1D.tmp
• %User Temp%\~!#1E.tmp
• %User Temp%\~!#1F.tmp
• %User Temp%\~!#20.tmp
• %User Temp%\~!#21.tmp
• %User Temp%\~!#22.tmp
• %User Temp%\~!#23.tmp
• %User Temp%\~!#24.tmp
• %User Temp%\~!#25.tmp
• %User Temp%\~!#26.tmp
• %User Temp%\~!#27.tmp
• %User Temp%\~!#28.tmp
• %User Temp%\~!#29.tmp
• %User Temp%\~!#2A.tmp
• %User Temp%\~!#2B.tmp
• %User Temp%\~!#2C.tmp
• %User Temp%\~!#2D.tmp
• %User Temp%\~!#2E.tmp
• %User Temp%\~!#2F.tmp
• %User Temp%\~!#30.tmp
• %User Temp%\~!#31.tmp
• %User Temp%\~!#32.tmp
• %User Temp%\~!#33.tmp
• %User Temp%\~!#34.tmp
• %User Temp%\~!#35.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Other Details

This Trojan connects to the following possibly malicious URL:

• http://brduf.{BLOCKED}c.org/images.php?t=242309

This report is generated via an automated analysis system.