Description: 

K2PS.EXE is a Trojan Horse that was distributed as an email attachment with the filename
of "K2PS.EXE" to users of Fujitsu's InfoWeb Internet account users in Japan. The email
stated that a new virus called TX-500 has recently been discovered and the attachment
was an antivirus program to eradicate the TX-500 virus and users should execute this on
their systems. The attachment was not an antivirus program of any sort. K2PS.EXE was a
malicious Trojan Horse program designed to steal your dial up network password
information and secretly send them to an email account in Japan. Once the creator of this
trojan has received this information, it is possible to take over the users Internet account,
access the users email, run up the Internet access bill and even change the password to the
Internet account. If you received this file and have executed this file, it is important to
change all your passwords on your dialup network accounts.
More Information:

1) K2PS.EXE is a 32-bit Windows executable and designed to work under Windows
    95/98. It will not work under Windows NT because of specific API it uses to retrieve the
    password information. 

2) When the file is executed, it will copy itself to the "WINDOWS\SYSTEM" directory. 

3) The following registry key will be modified to execute K2PS.EXE program
    automatically every time Windows is launched:
    \\HKEY_LOCAL_MACHINE\Software\Microsoft\Window\CurrentVersion\Run 
4) When Windows is re-launched, the K2PS.EXE program will automatically execute and
    a hidden file called K2PS.CFG will be created in the \WINDOWS\SYSTEM directory. 

5) If you are connected to the Internet, the trojan will automatically connect to an email
    server in Brazil and try to send the dialup information from the computer including login
    name and password. It is not possible to see this script with in the executable since it has
    been encrypted with a simple "ROR" algorithm. 

 6) The information is sent to a "free mail" email user account in Japan with the email
     address of "[email protected]", so it is difficult to trace the owner of the email account. 

Manual Removal of the Trojan:

If you have not executed K2PS.EXE, simply delete the file. If you have executed the file,
follow the following steps to clean up your system.

1) Delete K2PS.EXE 

2) Delete K2PS.EXE from \WINDOWS\SYSTEM directory. 

3) Delete a hidden file called K2PS.CFG from \WINDOWS\SYSTEM directory. You will
    have to change the "hidden" attribute to delete the file by using a command such as "attrib
    -hr k2ps.cfg". 

4) Use regedit.exe and delete the following registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Window\CurrentVersion\Run\K2ps.tasks
    C:\WINDOWS\SYSTEM\K2PS.EXE 

5) Lastly and most importantly, change your password for all of the dialup network
    accounts you have registered on your computer. If you do not know how to change your
    password for the dialup network accounts, you should contact the support center of your
    Internet provider. 

                   Write-up by: Motoaki Yamamura
                     Updated: May 12, 1999