Jump to content
Sign in to follow this  
epalmer

kynaoch.exe

Recommended Posts

Earlier today, I had a trojan installed on my computer. McAfee appeared to delete it, calling it "FakeAlert-Krypt!env.d". However, I found that my CPU was running at 100% and there was a process running called "kynaoch.exe" which I couldn't identify  through a google search. The process description looked like it was some sort of antivirus but was written in another language (possibly Swedish).

 

My help desk installed SuperAntiSpyware which quickly detected and removed it. However, I was wondering how I could learn more about the trojan and why McAfee thought it was something else. Does anyone know where I can find more information?

 

Thanks,

Eric

Share this post


Link to post
Share on other sites

Hi Eric,

 

I must admit I've never come across kynoach.exe process before, can you give the full description of what you see in task manager?

Share this post


Link to post
Share on other sites

Thanks for your response. It no longer shows up in task manager because SuperAntiSpyware removed it.

 

After the alerts and finding that my computer was running slow, I opened up task manager and looked at the processes running. It showed a process labeled "kynaoch.exe" with a description of  "IirDeramkel Antibibus Scagnur".

 

It looks like it was initially loaded as an AppData/local/temp file. I believe that I picked it up through a XSS flaw in my browser. I was researching a Microsoft Office issue, found a link that appeared to be a blog addressing such issues (utteraccess.com), and was redirected to a page that looked like the Wikipedia entry for Word but with the current date as the browser tab and a different URL. I got a message that ..../rad8E849.tmp.exe is not a valid Win32 application. I then got a dialog box labeled "On-Access Scan Messages" (which I think is McAfee's alert) saying virus alert with the name...\Temporary Internet Files\Content.IE5\C2HRSQF7\exe[1].exe which was detected as  "FakeAlert-Krypt!env.d".

 

I appreciate any help you can give.

 

Thanks

Share this post


Link to post
Share on other sites

It looks like it may have been a bad/fake Flash Player Update (just guessing at this stage) but it may have been cleaned up now by SAS.

 

As a secondary precaution try running adwcleaner delete what it finds.

 

then run CCleaner to clean up any remnants.

 

Remember to select Custom Install and uncheck any extras that it may wish to install.

Share this post


Link to post
Share on other sites

Hi,

 

I'd like to contribute additional info about this if I may:

 

Several days ago a system was brought to me for help in dealing with a similar malicious software infection.  Like Eric (OP), the manuf identifier on several malicious processes shown via task manager was found to be:  IirDeramkel S.R.L  (the process names themselves (id's) appear to be dynamically created, often hashed, & thus variable).

 

Google searches have as yet turned up only a few page hits with that [iirDeramkel] tag (this site being the most recent one as of yet).  I have used a couple of other tools to gain further insight into the situation, and so far as I've been able to discern at this time - we are likely dealing with a rootkit problem (possibly Cidox.b...or similar variant).

 

Detection and accurate identification efforts are currently underway, however it has been suggested this malware is relatively fresh in the wild and therefore hasn't flagged much of a visible profile within the major AV security community & related forums such as Eset / McAfee / Techrepublic (and others who i won't mention here [in deference to SAS et. al.])

 

One thing I might add is that in the 2 cursory attempts I've made to *completely* remove the offending malware (at least so far),  successful extraction/removal is initially indicated.  However, such was not the case...and a rather persistent (stealthy) infection still remains. The malware appears to be able to dodge thorough detection techniques used by several popular AV products, but not all.  However, those that do appear to detect it - seem to report their detections with differing signature id's.  So it is likely that this malware fetches and enjoins additional malicious code using undetected or background system net connections.  Furthermore, it appears to have successfully circumvented extraction routines employed by a couple of well-respected anti-rootkit tools which I've run against it so far.

 

I'm confident that it won't be long before a proper signature profile is generated and released for various security-tool updates. And it may even turn out that this is simply a fresh variant of a previously identified and thus relatively easily handled attack vector (trojan/rootkit/ etc.).

 

I would be happy to share a few additional details, however being new to this site ~ I will refrain from doing so unless specifically invited by SAS admins or staff members.

 

Respectfully,

charlie

 

 

 

 

Share this post


Link to post
Share on other sites

Hi charlie,

 

Thanks for the insight it does seem to be an elusive problem?

I would be interested to know what techniques you used to break the issue down and what anti rootkit tools you used, if you would prefer you can PM me your findings.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×