K2PS.EXE Trojan

K2PS.EXE is a Trojan Horse that was distributed as an email attachment with the filename of "K2PS.EXE" to users of Fujitsu's InfoWeb Internet account users in Japan.



1) K2PS.EXE is a 32-bit Windows executable and designed to work under Windows 95/98. It will not work under Windows NT because of specific API it uses to retrieve the password information.

2) When the file is executed, it will copy itself to the "WINDOWS\SYSTEM" directory.

3) The following registry key will be modified to execute K2PS.EXE program automatically every time Windows is launched: \\HKEY_LOCAL_MACHINE\Software\Microsoft\Window\CurrentVersion\Run

4) When Windows is re-launched, the K2PS.EXE program will automatically execute and a hidden file called K2PS.CFG will be created in the \WINDOWS\SYSTEM directory.

5) If you are connected to the Internet, the trojan will automatically connect to an email server in Brazil and try to send the dialup information from the computer including login name and password. It is not possible to see this script with in the executable since it has been encrypted with a simple "ROR" algorithm.

6) The information is sent to a "free mail" email user account in Japan with the email address of "back@trynet.co.jp", so it is difficult to trace the owner of the email account.