BitDefender Antivirus
My BitDefender | My Shopping Cart Cart
Go

Trojan.Downloader.JLEA

( Trojan-Downloader.Win32.Agent.ambm TrojanDownloader.Win32.Agent.ambm Downloader-BLA )
Spreading: low
Damage: high
Size: 9,728
Discovered: 2008 Oct 30

SYMPTOMS:

Inability to load the sites listed at the end of the following section.

TECHNICAL DESCRIPTION:

This executable is used to download and run other malicious applications from the internet (mostly password stealers).

When run, the downloader drops a dinamic library file in the %temp% directory with a random name, such as 4049437_ex.tmp, 4099250_ex.tmp, 4161421_ex.tmp.
The malware uses a function from this dll to run the files it downloads (probably to avoid euristic detections based on classic API calls).

The malware gets a list with the interenet location of the files to download from http://www.oi......./ko.txt. It is saved as %system32%\kn.txt and it looks like this:

[file]   
open=y
url1=http://61.160.....ew/new1.exe
url2=http://61.160...../new2.exe
url3=http://61.160.....new3.exe
url4=http://61.160.2..../new4.exe
url5=http://61.160.21....ew5.exe
url6=http://61.160.210.....6.exe
url7=http://61.160.210.4..../new7.exe
...

This list is parsed and the files are downloaded and executed (with a certain random delay between these operations).

Also, this executable replaces the hosts file (%system32%\drivers\etc\hosts)  with another one downloaded from  http://www.oi...../ad.jpg. This is a fragment of the downloaded hosts file:
...
127.0.0.0       www.hackerbf.cn
127.0.0.0       geekbyfeng.cn
127.0.0.0       ppp.etimes888.com
127.0.0.0       www.bypk.com
127.0.0.1       va9sdhun23.cn
127.0.0.2       bnasnd83nd.cn
127.0.0.0       www.gamehacker.com.cn
127.0.0.0       gamehacker.com.cn
127.0.0.3       adlaji.cn
127.0.0.1       858656.com
127.1.1.1       bnasnd83nd.cn
127.0.0.1       my123.com
127.0.0.0       user1.12-27.net
...
This hosts file doesn't prevent any AV updates. It is probably used only to replace the previous hosts file, which might have contained some cleverly chosen interdictions. However, a good way to tell whether the malware ran on your machine is to check if you can access these sites.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Deac Razvan-Ioan, virus researcher
Internet Security 2009
Protects 3PCs, 2 years
Only $89.95

Intelligence Report Archives

Quick Links » New Game Safe » Renew License » Free Customer Support » Free Online Scanner » Press Center
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy