Trojan.Downloader.JIYC

( Trojan.Inject.380 Backdoor.Win32.Agent )

SYMPTOMS:

Presence of files with ".ex_" extensions with names of existing ".exe" files.
Modified programs which are scheduled for autorun.
24 more Schedule Jobs which run a program from SystemRoot directory.

TECHNICAL DESCRIPTION:

When executed, the virus checks if it's Win32 NT platform and if it is not, just downloads file from:

    http://xxx.xxx.xxx.xxx/[hash obtained from Computer name]

and executes it.

If it is on an NT platform, it copies itself into SystemRoot directory with a random generated name.
If Schedule service is stopped, it starts it and adds Scheduled Jobs which will start it every hour. The virus then scans Autorun registry keys and infects (.exe) programs found.

Infection consists in:

• making backup copy in the same directory, with same name but with .ex_ extension
  
• increasing last section size, writing it's code there
• modifying EntryPoint to point at virus code, returning to the original EntryPoint after execution of its own code
• code written in infected file just executes the virus copied before in SystemRoot directory.
  

If the virus finds in memory a process named "zlclient.exe" it deletes itself.
Afterwards it injects a DLL file which is embedded in virus file into all processes with write access rights in the system, which does  the same thing: injects itself into other processes and downloads and executes the file from the link above.

Then the virus downloads file from the link above and executes it.


If files infected by virus contains overlay, overlay data is corrupted by virus after infection.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Suiu Andrei, virus researcher