My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Downloader.JLEA

LOW
HIGH
9,728
(Trojan-Downloader.Win32.Agent.ambm TrojanDownloader.Win32.Agent.ambm Downloader-BLA)

Symptoms

Inability to load the sites listed at the end of the following section.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Deac Razvan-Ioan, virus researcher

Technical Description:

This executable is used to download and run other malicious applications from the internet (mostly password stealers).

When run, the downloader drops a dinamic library file in the %temp% directory with a random name, such as 4049437_ex.tmp, 4099250_ex.tmp, 4161421_ex.tmp.
The malware uses a function from this dll to run the files it downloads (probably to avoid euristic detections based on classic API calls).

The malware gets a list with the interenet location of the files to download from http://www.oi......./ko.txt. It is saved as %system32%\kn.txt and it looks like this:

[file]   
open=y
url1=http://61.160.....ew/new1.exe
url2=http://61.160...../new2.exe
url3=http://61.160.....new3.exe
url4=http://61.160.2..../new4.exe
url5=http://61.160.21....ew5.exe
url6=http://61.160.210.....6.exe
url7=http://61.160.210.4..../new7.exe
...

This list is parsed and the files are downloaded and executed (with a certain random delay between these operations).

Also, this executable replaces the hosts file (%system32%\drivers\etc\hosts)  with another one downloaded from  http://www.oi...../ad.jpg. This is a fragment of the downloaded hosts file:
...
127.0.0.0       www.hackerbf.cn
127.0.0.0       geekbyfeng.cn
127.0.0.0       ppp.etimes888.com
127.0.0.0       www.bypk.com
127.0.0.1       va9sdhun23.cn
127.0.0.2       bnasnd83nd.cn
127.0.0.0       www.gamehacker.com.cn
127.0.0.0       gamehacker.com.cn
127.0.0.3       adlaji.cn
127.0.0.1       858656.com
127.1.1.1       bnasnd83nd.cn
127.0.0.1       my123.com
127.0.0.0       user1.12-27.net

...
This hosts file doesn't prevent any AV updates. It is probably used only to replace the previous hosts file, which might have contained some cleverly chosen interdictions. However, a good way to tell whether the malware ran on your machine is to check if you can access these sites.