K2PS.EXE Trojan

K2PS.EXE is a Trojan Horse that was distributed as an email attachment with the filename of "K2PS.EXE" to users of Fujitsu's InfoWeb Internet account users in Japan.



1) K2PS.EXE is a 32-bit Windows executable and designed to work under Windows 95/98. It will not work under Windows NT because of specific API it uses to retrieve the password information.

2) When the file is executed, it will copy itself to the "WINDOWS\SYSTEM" directory.

3) The following registry key will be modified to execute K2PS.EXE program automatically every time Windows is launched: \\HKEY_LOCAL_MACHINE\Software\Microsoft\Window\CurrentVersion\Run

4) When Windows is re-launched, the K2PS.EXE program will automatically execute and a hidden file called K2PS.CFG will be created in the \WINDOWS\SYSTEM directory.

5) If you are connected to the Internet, the trojan will automatically connect to an email server in Brazil and try to send the dialup information from the computer including login name and password. It is not possible to see this script with in the executable since it has been encrypted with a simple "ROR" algorithm.

6) The information is sent to a "free mail" email user account in Japan with the email address of "back@trynet.co.jp", so it is difficult to trace the owner of the email account.

Protection

• Initial Rapid Release version December 20, 2000
• Latest Rapid Release version March 3, 2008 revision 035
• Initial Daily Certified version December 20, 2000
• Latest Daily Certified version March 3, 2008 revision 037
• Initial Weekly Certified release date pending

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low