1. /
  2. Security Response/
  3. K2PS.EXE Trojan

K2PS.EXE Trojan

Risk Level 1: Very Low

Discovered:
May 12, 1999
Updated:
February 13, 2007 11:34:15 AM
Also Known As:
Trojan Horse, TX-500
Type:
Trojan Horse

K2PS.EXE is a Trojan Horse that was distributed as an email attachment with the filename of "K2PS.EXE" to users of Fujitsu's InfoWeb Internet account users in Japan.



1) K2PS.EXE is a 32-bit Windows executable and designed to work under Windows 95/98. It will not work under Windows NT because of specific API it uses to retrieve the password information.

2) When the file is executed, it will copy itself to the "WINDOWS\SYSTEM" directory.

3) The following registry key will be modified to execute K2PS.EXE program automatically every time Windows is launched: \\HKEY_LOCAL_MACHINE\Software\Microsoft\Window\CurrentVersion\Run

4) When Windows is re-launched, the K2PS.EXE program will automatically execute and a hidden file called K2PS.CFG will be created in the \WINDOWS\SYSTEM directory.

5) If you are connected to the Internet, the trojan will automatically connect to an email server in Brazil and try to send the dialup information from the computer including login name and password. It is not possible to see this script with in the executable since it has been encrypted with a simple "ROR" algorithm.

6) The information is sent to a "free mail" email user account in Japan with the email address of "back@trynet.co.jp", so it is difficult to trace the owner of the email account.


Antivirus Protection Dates

  • Initial Rapid Release version December 20, 2000
  • Latest Rapid Release version August 20, 2008 revision 017
  • Initial Daily Certified version December 20, 2000
  • Latest Daily Certified version August 20, 2008 revision 016
  • Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: Low
Writeup By: Motoaki Yamamura

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver