Follow:

 

Trojan:MSIL/Spacekito.A


Microsoft security software detects and removes this threat.

This threat steals information about your PC and installs browser plugins that display ads.

Typically, this threat gets onto your PC through another installer without your knowledge.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find another malware that is hiding on your PC.

Remove browser add-ons

You might need to remove add-ons from your browser:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat gets onto your PC through a Nullsoft Scriptable Install System (NSIS) compiled installer. It is usually installed with the file name %APPDATA%\okitspace\protect\pluginprotect.exe without your consent.

It is then registered as a service with the name "Protect your browser's extensions" and modifies these registry entries:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\srvPlgProtect
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "%AppData%\okitspace\protect\PluginProtect.exe"
Sets value: "DisplayName"
With data: "Protect your browser's extensions"
Sets value: "ObjectName"
With data: "LocalSystem"

It might also create the following registry subkey as part of its installation routine:

Subkey: HKLM\SOFTWARE\PluginProtect

Payload

Steals your information

After the threat is registered as a service, it gets the following information about your PC:

  • Current date
  • Default browser
  • Installed antivirus program
  • Installed browsers
  • Operating system and version
  • UserID

It sends this information to a remote server.

We've seen it connecting to the following servers to send information and download files:

  • baseflash.com
  • okitspace.com
  • media.vitkvitk.com
  • media.vitjvitj.com

Installs plugins and displays ads in your browser

This threat downloads a .zip file called plugin.zip, which contains the plugins it installs.

Sample contents of plugin.zip are:

  • crxID - Contains text (Chrome ID)
  • OKitSpace.crx - Chrome extension to be installed
  • OKitSpace.crx.zip - Chrome extension to be installed
  • OKitSpace.pem - Cert file needed to install the Chrome extension
  • OKitSpace.dll - BHO to be installed on Internet Explorer
  • OKitSpace.xpi - Firefox plugin to be installed
  • version - Contains text (version of the plugin)

When these plugins are installed, they can display unwanted pop-up ads in Internet Explorer, Firefox, or Chrome browsers.

Here are some screenshots of what these plugins might look like:

  • In Internet Explorer:

  • In Firefox:
  • In Chrome:

The threat monitors all the plugins it installs. If a plugin is disabled, it immediately re-enables or activates the plugin. If the plugin is removed, the threat downloads and installs another copy of the plugin.

Analysis by Ricardo Robielos


Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:
    %APPDATA%\okitspace\protect\pluginprotect.exe
  • You see these entries or keys in your registry:
    HKLM\SYSTEM\CurrentControlSet\Services\srvPlgProtect
    HKLM\SOFTWARE\PluginProtect
  • You see these extensions or plugins:
    • In Internet Explorer:
    • In Firefox:
    • In Chrome:

Prevention


Alert level: Severe
First detected by definition: 1.167.948.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 01, 2014
This entry was first published on: Feb 27, 2014
This entry was updated on: Jul 17, 2014

This threat is also detected as:
  • Adware-Okit!F2AB011D4F26 (McAfee)
  • winpe/Vittalia.PDB (Norman)
  • MSIL/Spacekito.A (Microsoft)
  • Trojan.Gen.2 (Symantec)
  • Win32.SuspectCrc (Ikarus)