Latest Adobe Flash update flagged with Win32/Kryptik.KGY trojan variant

[opti1 2]

So I just downloaded and tried to install the latest update to Adobe Flash, 32.0.0.387, on Win7 Home Premium SP1 64-bit, on my laptop.

I'm running ESET NOD32 13.1.21.0, with Detection Engine 21489.

After I entered the Administrator password to the prompt to allow the update to install I got the pop up shown below from ESET NOD 32.

After some searching to see if I could find anything about this I selected to delete the file C:\install\flashplayer32_xa_install.exe.

My log file shows ESET detected and deleted this threat four times between 7:19:52 and 7:28:07 PM which probably represents the number of times I clicked on the Delete button before the pop up went away (I saw no other way to get rid of the pop up other than allowing the update to proceed). There's a gap of about eight minutes between the first delete entry and the second through fourth entry which all are within seconds of each other.

About an hour ago I installed this same update to Adobe Flash without any problem on my desktop that has the same versions and updates of Windows, Flash, ESET NOD32, and Malwarebytes Anti-Malware.

I still have the downloaded C:\install\flashplayer32_xa_install.exe file on my desktop so I scanned it with both ESET and Malwarebytes Anti-Malware and neither found any threats on that one.

Thoughts?

Is this a false positive on the laptop or a missed threat detection on the desktop?

Should I download the Flash update again to my laptop and allow it to proceed if I also get the ESET pop up with the warning again?

(I know, I know, uninstall Flash and be done with it . . .)

Thanks!

[Marcos 5,070]

I've run the Flash updater on Windows 10 but nothing was detected and the update installed alright. Win32/Kryptik.KGY is a detection from 2010.

Do you have another machine where you installed this update? If so, what OS is installed there and was the detection triggered on that machine?

 

[itman 1,659]

The download installer for FlashPlayer includes bundled McAfee security add-ons: https://get.adobe.com/flashplayer/npapi/ . If you didn't manually exclude those during the installation process, Eset might be triggering on those add-ons and identifying them as Kryptik malware versus flagging them as PUA's.

[Nightowl 202]

1 minute ago, itman said:

The download installer for FlashPlayer includes bundled McAfee security add-ons: https://get.adobe.com/flashplayer/npapi/ . If you didn't manually exclude those during the installation process, Eset might be triggering on those add-ons and identifying them as Kryptik malware versus flagging them as PUA's.

yea I think mcAfee is a malware and unwanted application together.

[itman 1,659]

6 hours ago, Marcos said:

I've run the Flash updater on Windows 10 but nothing was detected and the update installed alright. Win32/Kryptik.KGY is a detection from 2010.

OP is running Win 7. As such, it's not possible to update FlashPlayer via Win Updating anymore.

[opti1 2]

6 hours ago, Marcos said:

Do you have another machine where you installed this update? If so, what OS is installed there and was the detection triggered on that machine?

 

Thanks all for your responses.

@Marcos

From my original post:

"About an hour ago I installed this same update to Adobe Flash without any problem on my desktop that has the same versions and updates of Windows, Flash, ESET NOD32, and Malwarebytes Anti-Malware.

I still have the downloaded C:\install\flashplayer32_xa_install.exe file on my desktop so I scanned it with both ESET and Malwarebytes Anti-Malware and neither found any threats on that one."

Both the laptop and the desktop have Windows 7 Home Premium SP1 64-bit.

The detection was not triggered on the desktop.

And I 'always' manually exclude the McAfee installer although I suppose it's remotely possible that unchecking one of the two check boxes didn't take this time.

[itman 1,659]

21 minutes ago, opti1 said:

I still have the downloaded C:\install\flashplayer32_xa_install.exe file on my desktop so I scanned it with both ESET and Malwarebytes Anti-Malware and neither found any threats on that one."

Your screen shot shows that the Eset detection was memory based. As such, offline scanning would not have detected it. The shown Eset detection is a post-execution one. That is the FlashPlayer installer had loaded into memory and began executing.

[opti1 2]

2 minutes ago, itman said:

Your screen shot shows that the Eset detection was memory based. As such, offline scanning would not have detected it. The shown Eset detection is a post-execution one. That is the FlashPlayer installer had loaded into memory and began executing.

Right, I figured as much. I scanned the .exe file just to confirm and eliminate that as an issue.

[opti1 2]

So, in addition to this Flash Installer issue I now have this . . .

My ESET subscription runs out in a few days, 7 I think. I have been getting the appropriate pop up window reminding me to renew, always in English on all three of our Windows PCs.

Just now on this laptop the following window popped up. I don't know what language it is and I don't understand why it changed from English . . . but it seems strange that it would happen at the same time that I have this issue with the Flash installer . . .

Thoughts?

 

[itman 1,659]

Here's what I believed happened in regards to the original Eset Win32/Kryptik.KGY alert.

The downloaded FlashPlayer installer was not infected per se. Part of that installer processing would be to uninstall the existing version of Abode FlashPlayer on the device. It was during this processing that Eset detected Krypytik malware. In other words, the existing Abode FlashPlayer installation or files associated with it had been infected with Krypytik malware.

Run a full scan on the device where the Eset alert appeared; i.e. custom scan selecting "This PC" checkbox, which will populate all subordinate settings - operating memory, boot sectors, and all hard drives. Select the "Scan as Administrator" tab. Then review scan results for any Eset detections.

[opti1 2]

30 minutes ago, itman said:

... snipped ...

Run a full scan on the device where the Eset alert appeared; i.e. custom scan selecting "This PC" checkbox, which will populate all subordinate settings - operating memory, boot sectors, and all hard drives. Select the "Scan as Administrator" tab. Then review scan results for any Eset detections.

Thanks for your response.

I ran the full "Scan as Administrator" as you suggested, results shown below.

I am still confused as to why ESET didn't also detect the Kryptik variant on my desktop when I ran the Flash installer there. I was updating from the same previous version of Flash to the same current version of Flash.

I am also still confused as to why ESET is now showing me the renewal pop up message in a language other than English . . .

Edited June 14, 2020 by opti1
To attach image

[itman 1,659]

4 hours ago, opti1 said:

I am still confused as to why ESET didn't also detect the Kryptik variant on my desktop when I ran the Flash installer there. I was updating from the same previous version of Flash to the same current version of Flash.

As I posted previously, it appears that nothing was wrong with the FlashPlayer installer you downloaded. But rather that your laptop device was infected with Kryptik malware; most likely the existing FlashPlayer installation was infected.

Although the full Eset scan of Eset showed no malware present, the Eset renewal popup in what appears to be Cyrillic language; e.g. Russian, is not a good sign. It would be indicative of a possible compromised Eset installation. Or the renewal popup you are observing is a fake one being possibly generated by the Kryptik or some other malware.

I've tried to convert the renewal popup screen shot you posted to a .txt file so I could translate to English what it says. No success on that.

Open the Eset GUI. Is everything there shown in English language? I assume it is since you haven't commented otherwise.

 

[opti1 2]

56 minutes ago, itman said:

... snipped ...

Although the full Eset scan of Eset showed no malware present, the Eset renewal popup in what appears to be Cyrillic language; e.g. Russian, is not a good sign. It would be indicative of a possible compromised Eset installation. Or the renewal popup you are observing is a fake one being possibly generated by the Kryptik or some other malware.

I've tried to convert the renewal popup screen shot you posted to a .txt file so I could translate to English what it says. No success on that.

Open the Eset GUI. Is everything there shown in English language? I assume it is since you haven't commented otherwise.

 

Thanks again for your latest response.

No renewal pop up has popped up again since the one in what appeared to be Russian. I am waiting for the next one, not sure what triggers it.

Yes, the ESET GUI appears to be normal. I have gone through almost all of the screens and everything is in the English language.

[itman 1,659]

1 hour ago, opti1 said:

No renewal pop up has popped up again since the one in what appeared to be Russian. I am waiting for the next one, not sure what triggers it.

Post if it shows up again. My suspicions are it will reappear after you reboot or perform system startup after a previous system shutdown.

[Nux 0]

I got the same alert when downloading from Flash installer popup.

But when manually choosing version the problem didn't occur.

• Windows 7
• FP 32 for Firefox - NPAPI
• Results in downloading: `flashplayer32_xa_install.exe` -- this is OK

The problem was for `flashplayer32au_a_install.exe`. Direct URL for that file: flashplayer32au_a_install.exe

Edited June 15, 2020 by Nux

[itman 1,659]

1 hour ago, Nux said:

The problem was for `flashplayer32au_a_install.exe`. Direct URL for that file: flashplayer32au_a_install.exe

There's a posting about this on the Adobe forum website: https://community.adobe.com/t5/flash-player/adobe-flashplayer-update-malware-how-do-i-remove-it/td-p/11131261?page=1

This gist of the posting is that the OP originally thought he was infected by the flashplayer32au_a_install.exe download. It turns out that this download appears to be the same as the  flashplayer32_xa_install.exe download with slightly different security permission settings.

Now the flashplayer32au_a_install.exe download is the one received via use of FlashPlayer internal updater. The flashplayer32_xa_install.exe is the one received via manual download from the Adobe web site.

It may well be that Eset is throwing a false positive detection in regards to the flashplayer32au_a_install.exe download for some reason. Further prove for this assumption is I submitted this download;

Quote

Direct URL for that file: flashplayer32au_a_install.exe

to VirusTotal for a scan: https://www.virustotal.com/gui/file/6ba18bf8f9d3ca2ee1751b0f7c58b1d41d808089b1918e4f7e47420bb099e85d/detection .

There were zero detections.

Edited June 15, 2020 by itman

[opti1 2]

14 hours ago, itman said:

Post if it shows up again. My suspicions are it will reappear after you reboot or perform system startup after a previous system shutdown.

Thanks again for your response.

Yesterday without success I tried to force the renewal pop up on this laptop by logging off and back on, restarting my laptop, logging off and shutting down and starting up again, launching the ESET GUI, etc.. But after all of that I didn't see any renewal pop up, neither the normal English language pop up nor the same unusual non-English language pop up shown in the image in my previous message.

I also haven't seen any renewal pop up since I started this laptop today.

It's possible that this laptop never has given me renewal pop ups and only shows the renewal message in the ESET GUI along with the orange border color coding, etc.

That non-English pop up may be just part of a one-time event associated with running the Flash Player update that ESET detected as a threat.

It would be interesting to get a translation of what the non-English pop up says.

[itman 1,659]

22 minutes ago, opti1 said:

It's possible that this laptop never has given me renewal pop ups and only shows the renewal message in the ESET GUI along with the orange border color coding, etc.

This is correct: https://help.eset.com/eis/13/en-US/idh_page_status.html

If the Cyrillic language popup appeared on the desktop, it most likely was malware related. However, there is no direct evidence at this point that this popup is related to your recent FlashPlayer update.

Edited June 15, 2020 by itman

[itman 1,659]

I will say this in regards to anyone still using Win 7.

Abobe FlashPlayer is by far the most vulnerable app ever developed. As such, it is also the most exploited app by malware developers.

Win 7 is no longer supported by Microsoft and as a result is no longer receiving any security updates.  If a new security vulnerability in Win 7 is discovered by malware developers, it could be used to exploit FlashPlayer or anything else for that matter.

Time for anyone on Win 7 to upgrade to Win 10.

[opti1 2]

10 minutes ago, itman said:

This is correct: https://help.eset.com/eis/13/en-US/idh_page_status.html

If the Cyrillic language popup appeared on the desktop, it most likely was malware related. However, there is no direct evidence at this point that this popup is related to your recent FlashPlayer update.

Thanks again for your response.

The Cyrillic language popup did not appear on my desktop, only on my laptop, and only after I attempted to update the Flash Player and ESET detected the Kryptic variant threat.

As mentioned above the Cyrillc language popup has not returned to the laptop so far.

On my desktop the Flash Player update installed without problems or threat notification from ESET nor the Cyrillic language popup as it always has so far.

I allow Adobe to notify me that an update is ready for download but I always manually go to their site to download it and install it and I always uncheck the boxes to install McAfee or whatever additional third party software they have offered.

The file that I manually downloaded was flashplayer32_xa_install.exe which matches what you describe in your response to Nux.

As best as I can recall this episode on my laptop with ESET detecting the Kryptik variant and then my getting the Cyrillic language popup is the first time I have had any problem installing the Flash Player on any of our PCs.

 

[itman 1,659]

Just now, opti1 said:

The Cyrillic language popup did not appear on my desktop,

I was referring to the desktop display for the laptop.

[opti1 2]

1 minute ago, itman said:

... snipped ...

Time for anyone on Win 7 to upgrade to Win 10.

Yep. Working on it. 🙂

[itman 1,659]

25 minutes ago, opti1 said:

I allow Adobe to notify me that an update is ready for download but I always manually go to their site to download it and install it and I always uncheck the boxes to install McAfee or whatever additional third party software they have offered.

Excluding the Eset false positive possibility, I really believe whatever Eset detected as Win32/Kryptik.KGY originated from a file associated with the existing Adobe FlashPlayer installation. The downloaded FlashPlayer installer for the new version would be accessing the current version files to update/remove them to the current version equivalents. 

Note that the Eset alert/log entry only showed the downloaded FlashPlayer installer running in memory as to be expected. This does not imply that the file Eset detected as malware was associated with any new file the installer was creating or the installer itself.

Edited June 15, 2020 by itman

[opti1 2]

7 minutes ago, itman said:

Excluding the Eset false positive possibility, I really believe whatever Eset detected as Win32/Kryptik.KGY originated from a file associated with the existing Adobe FlashPlayer installation. The downloaded FlashPlayer installer for the new version would be accessing the current version files to update/remove them to the current version equivalents. 

Note that the Eset alert/log entry only showed the downloaded FlashPlayer installer running in memory as to be expected. This does not imply that the file Eset detected as malware was associated with any new file the installer was creating.

Thanks again for your response.

What you say makes sense.

What do you make of the ESET deep scan I 'ran as Administrator' finding no threats? I.e., no Kryptik variant like it detected when I tried to update the Flash Player nor any other malware?

When ESET detected the Kryptik variant and presented me with the options to Delete 'the file' or to allow the process to continue I selected Delete.

Would you expect that ESET deleted the Kryptic variant, that it is gone, and that is why it wasn't detected on the run as Administrator scan, or that it could still be hiding somewhere?

Thanks!

 

[itman 1,659]

33 minutes ago, opti1 said:

What do you make of the ESET deep scan I 'ran as Administrator' finding no threats? I.e., no Kryptik variant like it detected when I tried to update the Flash Player nor any other malware?

When ESET detected the Kryptik variant and presented me with the options to Delete 'the file' or to allow the process to continue I selected Delete.

Would you expect that ESET deleted the Kryptic variant, that it is gone, and that is why it wasn't detected on the run as Administrator scan, or that it could still be hiding somewhere?

Obviously it is impossible to determine what actually happened.

Review your Eset Detections log for entries related to this incident. It might actually show what file/s were deleted.

Barring further Eset like malware detection or abnormal PC behavior, I would say this detected threat has been removed.