1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Warning: Kazaakrypton trojan horse program

Discussion in 'Virus & Other Malware Removal' started by TonyKlein, Feb 17, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. TonyKlein

    TonyKlein Malware Specialist Thread Starter

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    From Privacy Software Corporation Security Advisory Sunday, February 16, 2003:
    KAZAAKRYPTON TROJAN HORSE PROGRAM


    SYNOPSIS:

    KAZAAKRYPTON (and similar programs such as IGLOO KAZAA) are the beginning of a new trend in trojan horse backdoors which take advantage of people downloading "cracked" or "free" software, music, or pornography from Kazaa and Kazaa-like file sharing servers on the internet. KAZAAKRYPTON, IGLOO and a few others we have seen in the last few days all share a commonality. These backdoors depend on people downloading an executable file or archive of interest and then end up opening up a hidden backdoor server on their machine which then joins the file sharing networks, serving up more copies of the trojan among whatever files "innocent" users add to the "collection."

    Analysis of these new trojans has determined that once initiated, they begin making multiple copies of themselves into a subfolder of the main "Windows" folder on the affected machines. The files produced tend towards 6 new copies of the original trojan per minute, rapidly filling up the hard disk of the victim with deliberately named filenames of differing size. The resizing of the copies and the filenames, often containing names shown above in order to entice downloading, makes it extremely difficult for a Kazaa or similar file sharing host to be able to determine which files are legitimate and which are backdoors. Because of the manner in which antiviruses function, it would also be difficult for a pattern match of files to succeed as the sizings and spacings of the contents of the files containing the backdoor can be unpredictable, and therefore potentially elusive.

    On machines which contain KAZAA, the backdoor trojan adds an entry to the registry as follows:

    HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir6"
    which points to a folder called:
    C:\WINDOWS\User32
    which contains the multiple copies of the trojan under numerous "interesting names" in order to entice parties visiting the Kazaa server to download the trojan. In our testing, an average of 6 new files were created every minute.
    On machines that do NOT contain Kazaa, these backdoors will open port 113 and 30201 and behave LIKE a Kazaa server, setting up shop in the same location in the registry and broadcasting their availability irrespective of whether the "victim" is running a file sharing server or not.

    When running, the KAZAAKRYPTON and similar tools utilize tremendous amounts of CPU time, resulting in an obvious slowdown of the victim's computer with rest periods of ten seconds or longer between file creation salvos. Slowing of internet access on broadband systems is also noticeable, especially when the victim is not running Kazaa or similar "file-sharing" software.

    Proliferation of this backdoor depends on people with less than the most honest intentions "reaching for the low-hanging fruit" of obtaining paid licensed software for free, the warning signs of suspicious content being "cracked registration keys," "full version downloads of commercial software," "cracked music CD's," and popular gamingware. The filenames of the infected files (as evidenced by the screenshot of a victim machine above) are designed to entrap casual software/music consumers looking for a "freebie."

    The KAZAAKRYPTON backdoor creates a process named "CMD32" which is visible in the task manager (Ctrl+Alt+Del) keys and can be stopped, whereupon the copying of more files to the C:\WINDOWS\User32 ceases. However, all files in such folder must be considered suspect and should be destroyed in total, especially if the "User32" folder exists on a machine that doesn't have Kazaa installed.

    The IGLOO KAZAA trojan behaves in a similar fashion, but sets up shop in a folder called C:\WINDOWS\Sys32. Same situation, less prolific.

    Privacy Software Corporation's BOClean 4.10 software, designed to detect and defeat trojan horse programs, is fully effective in removing these servers regardless of the filename or manner of delivery and, as is the case with other trojans, can also disable this program instantly upon detection. BOClean will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine.


    COPYRIGHTED MATERIAL:

    Copyright (c) 2003 by Privacy Software Corporation.
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Thanks Tony, think I'll stick this to the top for a bit ;)
     
  3. TonyKlein

    TonyKlein Malware Specialist Thread Starter

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Thanks Candy! :)

    New trojans and worms appear on the scene on a daily basis, but every now and then there's one that deserves some extra attention.

    Cheers,
     
  4. angelize56

    angelize56 Always remembered in our hearts

    Joined:
    Apr 17, 2002
    Messages:
    82,163
    Tony: Does Spybot or AVG catch these? Is Kaaza Lite included in where you can get these trojans from or just regular Kaaza? Take care and thanks. angel
     
  5. TonyKlein

    TonyKlein Malware Specialist Thread Starter

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Angel,

    It's a trojan, and it's promising to be big, so therefore all antitrojan and antivirus software will certainly target this one before long.

    According to the article you don't even need to be running a file sharing application to catch it.

    All that's necessary is downloading ""cracked" or "free" software, music, or pornography" containing this nastie, whatever the source, although people running a P2P app are obviously most at risk.
     
  6. boyoh53

    boyoh53

    Joined:
    Nov 28, 2002
    Messages:
    2,984
    My son and I share the same ISP on different computers, one on at a time. He refuses to use anti-virus and anti-trojan protection.
    I'm the opposite with all the protection I can find.
    My question is this. If he became infected, does that put me at risk as well? :confused:
     
  7. Davey7549

    Davey7549

    Joined:
    Feb 28, 2001
    Messages:
    11,584
    Tony
    Thanks for the heads up! Seems the virus\trojan kiddies are getting really creative. Will pass the info on!

    Thanks again

    Dave
     
  8. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Not as long as you aren't networked and don't exchange any files with him.
     
  9. boyoh53

    boyoh53

    Joined:
    Nov 28, 2002
    Messages:
    2,984
    AcaCandy, Thanks for reply. Your answer is music in my ears.
    At him again last night but still refuses. He uses this KaZaA site
    and lyrics sites which I am sure could be dodgey as well.:D
     
  10. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    33,101
    Thanks Tony

    Gonna be telling a few others I know about it, and keep a vigilent eye on the mp3's I get from WinMX.

    eddie
     
  11. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Think I should mention again that a true MP3, text, graphic, or other pure-data file CAN NOT contain this trojan.
    So, if you right click on a downloaded song, and File Type: says MP3, Wave, etc. it can't be a virus (except for a problem with Winamp that can be exploited using ID3 tags, but thats all been cleared up).

    If you are not sure if a file is really a song, open your media player, and go to File>>Open and open the song. That way it will play if its really a song, and wont run if its actually an executable.

    Same thing with images, but open IrfanView or Paint instead.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Warning Kazaakrypton trojan
  1. PacerFan1
    Replies:
    4
    Views:
    388
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/119308

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice