Beware the ‘Kryptik’ Trojan.

[Bandung_Dero]

This morning my PC was attacked by a variant of the ‘Kryptik’ Trojan some how got through NOD32 initially but was picked up later. Too late damage done, the only way I could get into my machine was via a boot CD. It corrupted the boot.ini file (Xp Prof SP3) although on initial inspection it looked OK but it wasn’t until I built a new file was I able to get past the ‘Disk Error’ message I received on boot up and get in to finish cleaning the mess. A heart stopping couple of hours.

Note:
Look at your C:\Windows\system32 folder
Look for 3 files NLx.EXE

x = B, C, D,

Delete them or if unsure move them to another ‘Junk’ folder.

Then

Look at your C:\Windows\Prefetch folder
Look for 3 files starting with NLx.EXE they will look something like NLB.EXE-1E7655f5.pf

x = B, C, D,

Delete them or if unsure move them to another ‘Junk’ folder.

After they have done their damage they get moved to your ……\Local Settings\Temp\ folder as NLD.EXE. It was on the move NOD32 detected their presence.


KEEP A COPY OF YOUR ‘boot.ini’ file on a memory stick as there are many viruses out there that attack it.

[BobHelm]

‘Kryptik’ Trojan is quite an old one Dero. I've seen mention of it going back to October 2008 so am surprised your virus checker didn't find it. Mind you these clever little people are always making new, uncheckable versions. Thanks for the warning, any idea where you picked it up?

[Bandung_Dero]

Bob, no idea where it came from. I have been downloading a number of utilities lately (which all work perfectly) to help me build a new package in QLD Aust. next month emulating (mirror) this machine. I normally scan ALL new executables before running them, maybe I missed something! From the searches I have made it is a "variant" with many different fields of attack, really depends on the extension. The one that got me was Ktyptik.CKB and hence the NLD.EXE attack.

TTF my machine has fully recovered and I have downloaded a 2nd MalWare product to do a double check.

[BobHelm]

I'm glad your machine is A OK again!!
Yes, downloading is always a bit of a worry, not the product so much as the site you get it from. Some sites are a little naughty at slipping in things that you have not asked for (not malicious, just unasked for) & some sites will slip in spy ware, malware, viruses as well!!
I have ADV threat & WOT FF add on running on my pc. Neither are foolproof, but they both try & identify 'safe' sites when you are googling things, which gives me a bit more re-assurance.
Thanks for the heads up & how to restore an infected machine as well...