Description: K2PS.EXE is a Trojan Horse that was distributed as an email attachment with the filename of "K2PS.EXE" to users of Fujitsu's InfoWeb Internet account users in Japan. The email stated that a new virus called TX-500 has recently been discovered and the attachment was an antivirus program to eradicate the TX-500 virus and users should execute this on their systems. The attachment was not an antivirus program of any sort. K2PS.EXE was a malicious Trojan Horse program designed to steal your dial up network password information and secretly send them to an email account in Japan. Once the creator of this trojan has received this information, it is possible to take over the users Internet account, access the users email, run up the Internet access bill and even change the password to the Internet account. If you received this file and have executed this file, it is important to change all your passwords on your dialup network accounts. More Information: 1) K2PS.EXE is a 32-bit Windows executable and designed to work under Windows 95/98. It will not work under Windows NT because of specific API it uses to retrieve the password information. 2) When the file is executed, it will copy itself to the "WINDOWS\SYSTEM" directory. 3) The following registry key will be modified to execute K2PS.EXE program automatically every time Windows is launched: \\HKEY_LOCAL_MACHINE\Software\Microsoft\Window\CurrentVersion\Run 4) When Windows is re-launched, the K2PS.EXE program will automatically execute and a hidden file called K2PS.CFG will be created in the \WINDOWS\SYSTEM directory. 5) If you are connected to the Internet, the trojan will automatically connect to an email server in Brazil and try to send the dialup information from the computer including login name and password. It is not possible to see this script with in the executable since it has been encrypted with a simple "ROR" algorithm. 6) The information is sent to a "free mail" email user account in Japan with the email address of "[email protected]", so it is difficult to trace the owner of the email account. Manual Removal of the Trojan: If you have not executed K2PS.EXE, simply delete the file. If you have executed the file, follow the following steps to clean up your system. 1) Delete K2PS.EXE 2) Delete K2PS.EXE from \WINDOWS\SYSTEM directory. 3) Delete a hidden file called K2PS.CFG from \WINDOWS\SYSTEM directory. You will have to change the "hidden" attribute to delete the file by using a command such as "attrib -hr k2ps.cfg". 4) Use regedit.exe and delete the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Window\CurrentVersion\Run\K2ps.tasks C:\WINDOWS\SYSTEM\K2PS.EXE 5) Lastly and most importantly, change your password for all of the dialup network accounts you have registered on your computer. If you do not know how to change your password for the dialup network accounts, you should contact the support center of your Internet provider. Write-up by: Motoaki Yamamura Updated: May 12, 1999