MSIL/Kryptik.MVB!tr is a generic detection for a downlaoder Trojan. Since this is a generic detection, this malware may have varying behaviour.
Some of the MSIL/Kryptik.MVB!tr samples link to the Fareit (aka Pony) malware.
Below are some of the observed characteristics/behaviours:
- This malware has been observed to attempt connection to:
- Once connected, the malware may attempt to downlaod the following files:
- This malware may drop one or more of the following files:
- %Temp%\Name of the melted file.exe : a copy of the original file
- %AppData%\Microsoft\Windows\Start Menu\Programs\[RandomName_1].exe : a copy of the original file
- %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\[RandomName_1].[RandomName_2].lnk : a link file that directs to the previous dropped file and runs it on every start up
- This malware may delete the original copy after execution
- This trojan may be a Keylogger.
- This trojan may excercise Anti-Virtual Machine techniques .
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.