Trojan.Downloader.JKIZ( Trojan-Clicker.Win32.VB.bjk TR/Click.VB.bjk Win32/TrojanClicker.VB.BJK trojan )
SYMPTOMS:
TECHNICAL DESCRIPTION: When the malware starts it creates files in the following locations:%windir%\system32\debug.exe %windir%\system32\drivers\beep.sys random named files such as c:\000F443C\1000516 The file beep.sys is registered as a windows service; the following registry keys ar created: HKLM\System\CurrentControlSet\Services\Beep\Type HKLM\System\CurrentControlSet\Services\Beep\Start HKLM\System\CurrentControlSet\Services\Beep\ImagePath HKLM\System\CurrentControlSet\Services\Beep\DisplayName The malware disables the task manager by creating the following registry key: SoftWare\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Debugger ntsd -d Similar registry keys are created in order to disable antivirus software too. After this installation the original file deletes itself by creating and starting a .bat file created for this purpose. The purpose of the malware is to download and run other malicious software on the user's machine. In order to do so, it downloads a list of url's from locations such as: http://www.gucc?????prada.txt http://www.ball??????prada.txt The downloaded lists are located in random named files (c:\000f60e9\1010983) and look like this: 36 http://0.0o-??????/zip1.exe http://0.0o-??????/zip2.exe http://0.0o-??????/zip3.exe http://0.0o-??????/zip4.exe ............. The files downloaded from these lists generally belong to the Trojan.PWS.OnlineGames family and are used to steal account information for certain online games. Removal instructions: Delete the aforementioned files and registry keys; In order to delete the file debug.exe you need to kill the process first. You can do this by running the following command: taskkill /IM debug.exe /F.ANALYZED BY: Deac Razvan-Ioan, virus researcher |
