Home / malwarePDF  

Virus:Win32/Jadtre.gen!A


First posted on 29 June 2010.
Source: SecurityHome

Aliases :

Virus:Win32/Jadtre.gen!A is also known as WORM_JADTRE.N (Trend Micro), Worm.Win32.Pikorms (Ikarus), Win32/Wapomi.C (ESET), Worm.Win32.Qvod.ts (Kaspersky).

Explanation :

Virus:Win32/Jadtre.gen!A is a detection for a virus that infects Windows executable files, and spreads to computers via network shares and removable drives. The virus attempts to download and execute arbitrary files, and modifies the HOSTS File.
Top

Virus:Win32/Jadtre.gen!A is a detection for a virus that infects Windows executable files, and spreads to computers via network shares and removable drives. The virus attempts to download and execute arbitrary files, and modifies the HOSTS File. Installation When executed, Virus:Win32/Jadtre.gen!A is dropped by files that are infected by other viruses, for example, Virus:Win32/Jadtre.E. It may arrive as the file "cmt.exe". It installs itself as a Windows system service DLL file. It searches for a stopped system service from the following list:

  • AppMgmt
  • BITS
  • Browser
  • CryptSvc
  • EventSystem
  • FastUserSwitchingCompatibility
  • helpsvc
  • Netman
  • Nla
  • Ntmssvc
  • RemoteRegistry
  • Schedule
  • SSDPSRV
  • Tapisrv
  • Themes
  • upnphost
  • WmdmPmSN
  • xmlprov
    • If the virus does not find a stopped service from the above list, it attempts to stop one of these services. It disables Windows System File Checker (SFC) then replaces the stopped service with a malware copy with a DLL extension. The virus DLL may therefore be named any of the following, depending on which service it replaces:
  • schedsvc.dll
  • regsvc.dll
  • pchsvc.dll
  • cryptsvc.dll
  • browser.dll
  • tapisrv.dll
  • mswsock.dll
  • netman.dll
  • ssdpsrv.dll
  • upnphost.dll
  • ntmssvc.dll
  • es.dll
  • xmlprov.dll
  • mspmsnsv.dll
  • shsvcs.dll
  • qmgr.dll
  • appmgmts.dll
    • Virus:Win32/Jadtre.gen!A sets the replaced service as an autostart system service to ensure that the virus DLL is loaded at each Windows start. Virus:Win32/Jadtre.gen!A may also drop a device driver with a random file name as the following: <system folder>\drivers\<random file name>.sys (for example, 682E4E5E.sys) Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The dropped component may be detected as VirTool:WinNT/Jadtre.B. Spreads via... File infection Virus:Win32/Jadtre.gen!A infects Windows files having a file extension of ".EXE". The virus can infect executables within .RAR archive container files. Removable drives Virus:Win32/Jadtre.gen!A copies itself to removable drives as the following file: <drive:>\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\setup.exe The virus then writes an Autorun configuration file named "autorun.inf" pointing to "setup.exe". When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically. Network shares Virus:Win32/Jadtre.gen!A attempts to connect to network shares by using a built-in dictionary containing user names and passwords. After successfully connecting to the share, the virus drops a copy of the virus body in the share folder. Payload Downloads and executes arbitrary files Virus:Win32/Jadtre.gen!A connects to a remote host to download and execute arbitrary files in the infected computer. Modifies HOSTS file Virus:Win32/Jadtre.gen!A replaces the host file "<system folder>\drivers\etc\hosts" with an empty configuration to remove any previously blocked hosts.

    Analysis by Chun Feng

    Last update 29 June 2010

     

    TOP

    Malware :

    Family: