Your essential free software toolbox

SHARE
THIS ON

Trojan.Downloader.JJRL

HIGH

VERY LOW

69 KB

(Trojan-Downloader.Win32.PurityScan.fk (KAV) Adware:Win32/ClickSpring.B (OneCare))

Symptoms

Presence in start-up registry key
HKCU\Software\Microsoft\Windows\CurentVersion\Run of the field "Otla"
which contains "%PATH_TO_TROJAN\%TROJAN_NAME% -vt ndrv"

Presence on hard-disk of a hidden file found at the path %PATH_TO_TROJAN% contained in registry key above mentioned
Attempt to download from "http://outerinfo.net/" a file "ctxad.exe"
Presence of a registry key HKCU\Software\Baoa with two fields "Cnae" and "Dpoo"

Removal instructions:

Open Registry Editor (Start,Run and type 'regedit'), and follow the location
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,
keep in mind the executable name form the field 'Otla' (after last '\').

Open Task Manager (press [CTRL]+[ALT]+[DEL]), go to Processes tab and find in list the process with the name like that one found in the registry key. ATTENTION at User Name field to be the same as user currently logged on (not SYSTEM or LOCAL SERVICE or NETWORK SERVICE). Kill this procces(right-click,End process ). Delete form hard-disk the file defined by the path from the above mentioned field 'Otla' and delete this field from Registry Editor

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

The trojan copies itself at locations like "%FOLDER_1%\%FOLDER_2%\%TROJAN_NAME%" where
%FOLDER_1% is one of following: Windows, Program Files, My Documents
%FOLDER_2%: Oracle, Symantec, Adobe, Microsoft, Microsoft.NET, Drivers, WinSxS ,Tasks, system32, system, symbols, security, Fonts, assembly, AppPatch

the Trojan will modify a character from above names to a look-like non-ascii character
%TROJAN_NAME%: randomly chosen from list:
regsvr32, regedit, tracert,nslookup, mshta, nopdb, winword, ati2evxx, spool32, msconfig, userinit, netdde, scanregw, wucrtupd, wuauboot, wuauclt, wuaclt, rundll,dexplore,iexplore, notepad, msdtc, javaw, ntvdm, wowexec, winspool, taskmgr, rundll32, msiexec, logonui, dvdplay, dllhost, chkdsk, chkntfs, attrib, winlogon, spoolsv, services, lsass, csrss, svchost, explorer

In order to execute itself at each system startup, the following registri key is created
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Otla"="\"%PATH_TO_TROJAN%" -vt ndrv" where %PATH_TO_TROJAN% is the path to the copy above created
Tries to download in %TEMP% directory a file named 'ctxad.exe' from http://outerinfo.com and, on succesful, it will exectute this file. The file is also detected by BitDefender as malware.