Follow:

 

MSIL/Spacekito


Microsoft security software detects and removes this family of threats.

The Spacekito malware family can steal information about your PC and send it to a malicious hacker. They can also install browser plugins that display ads.

Typically, these threats get onto your PC through another installer without your knowledge.



What to do now

The following free Microsoft software detects and removes these threats:

Even if we've already detected and removed these threats, running a full scan might find another malware that is hiding on your PC.

Remove browser add-ons

You might need to remove add-ons from your browser:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This family of threats get onto your PC through a Nullsoft Scriptable Install System (NSIS) compiled installer. They are installed with the file name %APPDATA%\okitspace\protect\pluginprotect.exe without your consent.

They are then registered as a service with the name "Protect your browser's extensions" and modify these registry entries:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\srvPlgProtect
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "%AppData%\okitspace\protect\PluginProtect.exe"
Sets value: "DisplayName"
With data: "Protect your browser's extensions"
Sets value: "ObjectName"
With data: "LocalSystem"

They might also create the following registry subkey as part of their installation routine:

Subkey: HKLM\SOFTWARE\PluginProtect

Payload

Steals your information

After the threats are registered as a service, they get the following information about your PC:

  • Current date
  • Default browser
  • Installed antivirus program
  • Installed browsers
  • Operating system and version
  • User ID

They send this information to a remote server.

We've seen them connecting to the following servers to send information and download files:

  • baseflash.com
  • okitspace.com
  • media.vitkvitk.com
  • media.vitjvitj.com

Installs plugins and displays ads in your browser

These threats download a .zip file called plugin.zip, which contains the plugins they install.

Sample contents of plugin.zip are:

  • crxID - Contains text (Chrome ID)
  • OKitSpace.crx - Chrome extension to be installed
  • OKitSpace.crx.zip - Chrome extension to be installed
  • OKitSpace.pem - Cert file needed to install the Chrome extension
  • OKitSpace.dll - BHO to be installed on Internet Explorer
  • OKitSpace.xpi - Firefox plugin to be installed
  • version - Contains text (version of the plugin)

When these plugins are installed, they can display unwanted pop-up ads in Internet Explorer, Firefox, or Chrome browsers.

Here are some screenshots of what these plugins might look like:

  • In Internet Explorer:


     
  • In Firefox:


     
  • In Chrome:

These threats monitor all the plugins they install. If the plugin is disabled, they immediately re-enable or activate the plugin. If the plugin is removed, the threats download and install another copy of the plugin.

Analysis by Ricardo Robielos


Symptoms

The following can indicate that you have these threats on your PC:

  • You have these files:
    %APPDATA%\okitspace\protect\pluginprotect.exe
  • You see these entries or keys in your registry:
    HKLM\SYSTEM\CurrentControlSet\Services\srvPlgProtect
    HKLM\SOFTWARE\PluginProtect
  • You see these extensions or plugins:
    • In Internet Explorer:

     

    • In Firefox:

     

    • In Chrome:


Prevention


Alert level: Severe
This entry was first published on: Feb 27, 2014
This entry was updated on: Jul 17, 2014

This threat is also detected as:
  • Adware-Okit!F2AB011D4F26 (McAfee)
  • winpe/Vittalia.PDB (Norman)
  • MSIL/Spacekito.A (Microsoft)
  • Trojan.Gen.2 (Symantec)
  • Win32.SuspectCrc (Ikarus)