Home / malware

PDF

Virus:Win32/Jadtre.B

First posted on 24 January 2020.
Source: Microsoft

Aliases :

Virus:Win32/Jadtre.B is also known as Win32/Jadtre.C, TR/Drop.Bototer.B.82, Win32/Emerleox.IN, Win32.HLLW.Viking.55, Trojan-Dropper.Win32.Bototer.b, Downloader-CCW.gen.a, W32/Katusha.T, W32.Fujacks.CE!inf.

Explanation :

Virus:Win32/Jadtre.B is a detection for a virus that infects Windows executable files, modifies HTML files, spreads to computers across a network and via removable drives. The virus prevents Windows from starting in safe mode, attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files. Installation When executed, a Virus:Win32/Jadtre.B infected file drops and executes a copy of the virus body as the following:   %SystemDrive%ooter.exe   The dropped virus file "booter.exe" attempts to install itself as a system service DLL. It searches for a stopped system service from the following list:   Schedule RemoteRegistry helpsvc CryptSvc Themes Browser Tapisrv Nla Netman SSDPSRV upnphost Ntmssvc EventSystem xmlprov WmdmPmSN FastUserSwitchingCompatibility BITS AppMgmt   If the virus does not find a stopped service from the above list, it attempts to stop one of the services. The virus d isables Windows System File Checker (SFC) and replaces the stopped service with a copy of "booter.exe" as a DLL. The virus DLL may therefore be named as one of the following, depending on which service it replaces:    schedsvc.dll regsvc.dll pchsvc.dll cryptsvc.dll browser.dll tapisrv.dll mswsock.dll netman.dll ssdpsrv.dll upnphost.dll ntmssvc.dll es.dll xmlprov.dll mspmsnsv.dll shsvcs.dll qmgr.dll appmgmts.dll   Virus:Win32/Jadtre.B sets the replaced service as an autostart system service to make sure the virus DLL is loaded at each Windows start. Spreads via… File infection Virus:Win32/Jadtre.B infects Windows executable files having a file extension of ".EXE". The virus can infect executables within .RAR archive container files.  Removable drives Virus:Win32/Jadtre.B copies itself to removable drives as the following:  
ecycle.{645FF040-5081-101B-9F08-00AA002F954E}setup.exe   The virus then writes an Autorun configuration file named "autorun.inf" pointing to "setup.exe". When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically.  Network shares Virus:Win32/Jadtre.B attempts to connect to network shares by using a built-in dictionary containing user names and passwords. After successfully connecting to the share, the virus drops a copy of the virus body in the share folder. Payload Modifies system settings Virus:Win32/Jadtre.B deletes the following registry subkeys to prevent Windows from starting in safe mode or safe mode with network:   HKLMSYSTEMCurrentControlSetControlSafeBootMinimal HKLMSYSTEMCurrentControlSetControlSafeBootNetwork   Infect HTML files Virus:Win32/Jadtre.B infects HTML files having the following file extensions:   .htm .html .asp .aspx  The virus appends a JavaScript link to the domain "yy.web1000wip.com".   Downloads and executes arbitrary files Virus:Win32/Jadtre.B connects to a remote host to download and execute arbitrary files in the infected computer. In the wild, Virus:Win32/Jadtre.B has been observed to contact the following domain for this purpose:  ad.ns5000wip.com   Analysis by Chun Feng

Last update 24 January 2020

 

TOP