Home / malware Trojan.Downloader.JLEA
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Downloader.JLEA is also known as Trojan-Downloader.Win32.Agent.ambm TrojanDownloader.Win32.A.
Explanation :
This executable is used to download and run other malicious applications from the internet (mostly password stealers).
When run, the downloader drops a dinamic library file in the %temp% directory with a random name, such as 4049437_ex.tmp, 4099250_ex.tmp, 4161421_ex.tmp.
The malware uses a function from this dll to run the files it downloads (probably to avoid euristic detections based on classic API calls).
The malware gets a list with the interenet location of the files to download from http://www.oi......./ko.txt. It is saved as %system32%kn.txt and it looks like this:
[file]
open=y
url1=http://61.160.....ew/new1.exe
url2=http://61.160...../new2.exe
url3=http://61.160.....new3.exe
url4=http://61.160.2..../new4.exe
url5=http://61.160.21....ew5.exe
url6=http://61.160.210.....6.exe
url7=http://61.160.210.4..../new7.exe
...
This list is parsed and the files are downloaded and executed (with a certain random delay between these operations).
Also, this executable replaces the hosts file (%system32%driversetchosts) with another one downloaded from http://www.oi...../ad.jpg. This is a fragment of the downloaded hosts file:
...
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.1 va9sdhun23.cn
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.0.0.3 adlaji.cn
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
...
This hosts file doesn't prevent any AV updates. It is probably used only to replace the previous hosts file, which might have contained some cleverly chosen interdictions. However, a good way to tell whether the malware ran on your machine is to check if you can access these sites.Last update 21 November 2011
