Troj/Krepper-AE

Aliases	Trojan.Win32.Krepper.ae AdClicker-AF AdClicker-AF.dll AdClicker-AF.dr Trojan.SuperSpider
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	29 November 2004 23:04:30 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Krepper-AE is a multi-component startpage Trojan.

Troj/Krepper-AE copies its main dropper component to the Windows system folder with a filename consisting of 10 to 14 random characters (including digits, excluding the letter "a") followed by THD and with an EXE extension.

Troj/Krepper-AE sets the following entry in the registry so as to run the main dropper component on system startup, resetting this value repeatedly:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Control handler

Troj/Krepper-AE attempts to drop three further files to the Windows system folder. All have filenames consisting random characters (including digits, excluding the letter "a"), with two of them consisting 10 to 14 characters and DLL extensions and the third consisting 11 to 15 characters and either a DLL or an EXE extension. All these files are detected as Troj/Krepper-AE.

Troj/Krepper-AE may set the following registry to run the dropped EXE file on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
romahere

Troj/Krepper-AE may set the following registy to run one of the dropped DLL files on system startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs

Troj/Krepper-AE may drop another DLL file to the Temporary folder with a TMP extension that is also detected as Troj/Krepper-AE. This file in turn may drop a file to the Temporary folder with an EXE extension that is detected as Troj/Krepper-Q.

Troj/Krepper-AE may attempt to redirect the user's internet browser to a website stored at the following address in the registry:

HKCU\Software\Microsoft\Internet Explorer\Main\
HPDed

Troj/Krepper-AE uses a site at the domain win-eto.com for this by default.

Troj/Krepper-AE may attempt to communicate with PHP pages at the domain super-spider.com.

Troj/Krepper-AE modifies the HOSTS file, mapping the URLs of common search engine sites to its own site, thus effecting redirection. Troj/Krepper-AE modifies HOSTS files located at:

C:\WINDOWS\hosts
C:\WINDOWS\system32\drivers\etc\hosts
C:\WINNT\hosts
C:\WINNT\system32\drivers\etc\hosts
D:\WINDOWS\hosts
D:\WINDOWS\system32\drivers\etc\hosts
D:\WINNT\hosts
D:\WINNT\system32\drivers\etc\hosts

Troj/Krepper-AE may also attempt to create internet shortcuts into the Favorites folder.

Troj/Krepper-AE may also set the following registry entries so as to change the user's startpage and searchpage settings to point to the same website:

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page

HKCU\Software\Microsoft\Internet Explorer\Main\
Search Page

HKLM\Software\Microsoft\Internet Explorer\Main\
Search Page

Troj/Krepper-AE uses stealthing to try to make it more difficult to detect and remove.

Troj/Krepper-AE may set some of the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\
Enable Browser Extensions
"yes"

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Cassandra\
data1

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Cassandra\
data2

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Cassandra\
data3

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Cassandra\
data4

HKCU\Software\Microsoft\Internet Explorer\Settings\
UpdateDate

HKCU\Software\Microsoft\Internet Explorer\Settings\
ControlID

HKCU\Software\Microsoft\Internet Explorer\Settings\
GUID

HKCU\Software\Microsoft\Internet Explorer\Settings\
Control date

HKCU\Software\Microsoft\Internet Explorer\Settings\
Bonus

HKCU\Software\Microsoft\Internet Explorer\Settings\
Bonus Avg

HKCU\Software\Microsoft\Internet Explorer\Settings\
Bonus URL

HKCU\Software\Microsoft\Internet Explorer\Settings\
Bonus TODO_Count

HKCU\Software\Microsoft\Internet Explorer\Settings\
Bonus TODO_Item_Data

Troj/Krepper-AE may set a number of registry entries at the following location:

HKLM\SOFTWARE\Classes\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}\

Troj/Krepper-AE may attempt to delete the following registry entries, as well as deleting the files associated with them:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
romahere

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
romahere2

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
romahere

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
romahere2

Troj/Krepper-AE may also delete certain registry entries at the following location:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

Troj/Krepper-AE

Summary

Action

More Information