Home / malwarePDF  

Virus:Win32/Jadtre.I


First posted on 13 July 2010.
Source: SecurityHome

Aliases :

Virus:Win32/Jadtre.I is also known as W32/Threat-HLLIT-based!Maximus (Authentium (, W32/Pikorms.G (Norman), Win32.Jadtre.Gen (VirusBuster), Worm/AutoRun.JT (AVG), TR/Crypt.EPACK.Gen2 (Avira), Gen:Trojan.Heur.GZ.Nq0@bu4q41bi (BitDefender), Win32/Wapomi.A (CA), Win32.Dropper.5 (Dr.Web), Win32/AutoRun.NAX (ESET), Virus.Win32.Jadtre (Ikarus), W32/Fujacks.be (McAfee), Win32.Fednu.e (Rising AV), W32/Jadtre-B (Sophos), Virus.Win32.Jadtre.b (Sunbelt Software), W32.Wapomi.B!inf (Symantec) more.

Explanation :

Virus:Win32/Jadtre.I is a detection for a virus that infects Windows executable files, and spreads to computers via network shares and removable drives. The virus attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files.
Top

Virus:Win32/Jadtre.I is a detection for a virus that infects Windows executable files, and spreads to computers via network shares and removable drives. The virus attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files. Installation When executed, a Virus:Win32/Jadtre.I infected file drops and executes a copy of the virus body with a random name, which may be detected as Virus:Win32/Jadtre.gen!A. The dropped virus file attempts to install itself as a Windows system service DLL. It searches for a stopped system service from the following list:

  • Schedule
  • RemoteRegistry
  • helpsvc
  • CryptSvc
  • Themes
  • Browser
  • Tapisrv
  • Nla
  • Netman
  • SSDPSRV
  • upnphost
  • Ntmssvc
  • EventSystem
  • xmlprov
  • WmdmPmSN
  • FastUserSwitchingCompatibility
  • BITS
  • AppMgmt
    • If the virus does not find a stopped service from the above list, it attempts to stop one of the services. The virus disables Windows System File Checker (SFC) and replaces the stopped service with a copy of the dropped virus body as a DLL. The virus DLL may therefore be named as one of the following, depending on which service it replaces:
  • schedsvc.dll
  • regsvc.dll
  • pchsvc.dll
  • cryptsvc.dll
  • browser.dll
  • tapisrv.dll
  • mswsock.dll
  • netman.dll
  • ssdpsrv.dll
  • upnphost.dll
  • ntmssvc.dll
  • es.dll
  • xmlprov.dll
  • mspmsnsv.dll
  • shsvcs.dll
  • qmgr.dll
  • appmgmts.dll
    • Virus:Win32/Jadtre.I sets the replaced service as an autostart system service to make sure the virus DLL is loaded at each Windows start. Virus:Win32/Jadtre.I may also drop a device driver with a random filename as the following:
  • <system folder>\drivers\<random>.sys (for example, <system folder>\drivers\55C03AF5.sys)
    • The dropped component may be detected as VirTool:WinNT/Jadtre.B. Spreads via€¦ File infection Virus:Win32/Jadtre.I infects Windows executable files that have a file extension of ".EXE". The virus can infect executables within .RAR archive container files. Removable drives Virus:Win32/Jadtre.I copies itself to removable drives as the following:
  • <drive:>\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\setup.exe
    • The virus then writes an Autorun configuration file named "autorun.inf" pointing to "setup.exe". When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically. Network shares Virus:Win32/Jadtre.I attempts to connect to network shares by using a built-in dictionary containing user names and passwords. After successfully connecting to the share, the virus drops a copy of the virus body in the share folder. Payload Downloads and executes arbitrary files Virus:Win32/Jadtre.I connects to a remote host to download and execute arbitrary files in the infected computer. Modifies HOSTS file Virus:Win32/Jadtre.I replaces the host file "<system folder>\drivers\etc\hosts" with an empty configuration in order to remove any previously blocked hosts.

    Analysis by Chun Feng

    Last update 13 July 2010

     

    TOP

    Malware :

    Family: