Win32/Kryptik.TXT Trojan Spreading via Facebook Spam Links

Do you think twice before clicking a link on Facebook?

If you don’t, then maybe you should.

A nasty variant of the Win32/Kryptik.TXT Trojan is ripping through Facebook, pouncing on unsuspecting users as they click on links shared via Facebook Wall posts, discussion boards and chat sessions.

The Trojan is delivered via a drive-by download, giving the victim little-to-no time to react while it tests the effectiveness of the target computer’s antivirus software.

The Kryptik virus variant is being delivered by links that are disguised to point towards a .JPG file, although a closer look reveals that they’re going to an actual PHP page.

Below is a screenshot of dangerous links spreading the Kryptik Trojan on Facebook discussion boards [WARNING: DO NOT GO TO THESE URLS AS THE TROJAN IS ACTIVELY BEING SERVED!]:



Looking at the links above, you may think that the links merely point towards images, right? WRONG!

The danger is exposed in the first half of the URL: v9[dot]freepicshare[dot]com/r.php

The remaining portion is merely a fake parameter added to trick you into thinking you’re downloading a legitimate image file, when in reality you’re being served the Win32/Kryptik.TXT Trojan.

If you visit the page, two dialogs will popup:



If you’re running a good antivirus program that offers real-time scanning, the Trojan will be caught red-handed. Thankfully I’m running ESET NOD32 Antivirus, which is well-aware of this malicious Trojan horse and blocked it:

Symptoms of a Win32/Kryptik.TXT infection

Should the Win32/Kryptik.TXT Trojan make its way onto your computer, it will do the following:

• Embed its code into legitimate system files.


• Download additional malware from a remote computer.


• Serve pop-up advertisements on your computer screen.


• Redirect your web browser to websites serving more malicious content.


• Alter security settings to reflect minimum security protection in order to grant itself free reign to all files and folders.

As you can see, the Win32/Kryptik.TXT Trojan is quite the busy little bug once it infects a computer.

Removing it can be quite the chore, as you will likely need to do a system restore in addition to doing a full system scan with a good antivirus program.

Protecting Your PC from Win32/Kryptik.TXT Trojan & Other Malware

Here’s some advice on how you can avoid having your computer infected with malware:

• Always run up-to-date antivirus software on your computer. There is a huge selection of antivirus programs for you to choose from – ESET, Symantec and Kaspersky are just a few companies that offer great antivirus applications.


• Exercise caution when clicking on links. If you’re not sure about a link or suspect that it’s spam, DON’T click on it! This especially rings true for links shared on social networking websites like Facebook, Twitter, Google+ and even LinkedIn. Don’t be click-happy!


• Always scan files downloaded from the internet. Make sure you use your antivirus software to scan files downloaded from the internet. It doesn’t matter if they’re Word docs, PDFs, images, videos, you name it – if you got it online, scan it.

Warn your friends about this Trojan spreading on Facebook and be careful when clicking links! If you see a link similar to the ones outlined in this post, mark it as spam and report it.

Be sure to follow us on Twitter at @hyphenet or “Like” us on Facebook to stay up-to-date on the latest security threats.

If you’re having trouble removing a Trojan horse, virus, or any other malicious programs from your computer, Hyphenet offers virus removal and protection services in San Diego County. Feel free to reach us by calling (619) 325-0990 or filling out our contact us form online.