W32/Krynos-B

Aliases	Email-Worm.Win32.Krynos.b
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Network shares Peer-to-peer
Affected operating systems	Windows
Protection available since	29 March 2005 05:40:30 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Service Host Process
%WINDOWS%\Help\svchost.exe

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Krynos-B is a worm for the Windows platform.

When the worm is first run, it displays a fake error message that reads:

Can't open mfc73rp.dll

The worm copies itself to the Windows Help folder as svchost.exe and creates the following registry entries in order to run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Service Host Process
%WINDOWS%\Help\svchost.exe

The worm harvests email addresses from the infected computer and sends itself as an attachment to each address found. Email sent by W32/Krynos-B has the following properties:

From:
Microsoft SecurityTeam

Subject line:
Microsoft Security Update

Message Text:
Vulnerability in Windows Explorer Could Allow Remote Code Execution (612827)
Summary:
Who should read this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the attached update at the earliest opportunity
Affected Software:
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows NT
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Attached file:
update.zip

W32/Krynos-B avoids sending email to any addresses containing the following strings:

.edu
.gov
.mil
@angelfire.com
@cisco.com
@cpan.org
@eff.org
@ethereal.com
@geocities.
@gnu.org
@hotmail
@iana
@lists.
@lucent.com
@msn.com
@perl.org
@python.org
@relay
@sun.com
@tcpdump.org
@yahoo
abuse
admin@
advertising@
announce
anyone
anywhere
aol.com
arin.
avp
blockme
bsd.org
bugs@
cert.org
certs@
contact@
customer@
drsolomon
example
excite.com
f-prot
feedback@
google
grisoft.com
help@
ibm.com
info@
kaspersky
linux
lycos.com
master
mcafee
microsoft
mozilla
msdn
netscape
news
nobody
noreply
panda
pgp
rating@
ripe-
ripe.
root@
sales@
secur
sendmail
service@
sophos
sourceforge
spam
submit
subscribe
support
symantec
unix
user@
virus
whatever@
whoever@
yourname

The worm may also attempt to copy itself into the following locations:

C:\inetpub\wwwroot\password.zip
C:\inetpub\wwwroot\password.pif

W32/Krynos-B may delete files from Peer to Peer (P2P) folders and replace them with copies of the worm.

The worm appends the following data to the HOSTS file (typically located in %SYSTEM%\Drivers\etc) in an attempt to block access to certain websites:

127.0.0.1 dispatch.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 download.mcafee.com
127.0.0.1 ftp.sophos.com
127.0.0.1 ftp.f-secure.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mcafee.com
127.0.0.1 kaspersky.ru
127.0.0.1 mast.mcafee.com
127.0.0.1 kaspersky.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.ch
127.0.0.1 www.avp.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.mcafeehelp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.sophos.ch
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.symantec.com
127.0.0.1 www.avp.ch
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.ru
127.0.0.1 sophos.com

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Krynos-B

Summary

Action

More Information