Symptoms

Removal instructions:

Analyzed By

Technical Description:

The Trojan spreads by spamming instant messages to contacts. 

The malicious application copies itself in the operating system's folder with the name "jusched.exe", which is similar to a known programming language file. In order to start itself each time the operating systems runs the following registry values are added  :

1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with "Java developer Script Browse" which contains the path of the Trojan "%Windir%\jusched.exe"
2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run : "Java developer Script Browse" with the value "%Windir%\jusched.exe"
3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run : "Java developer Script Browse" with the value "%Windir%\jusched.exe"

It adds itself as an authorized application for the system's firewall by adding a value into the following keyHKLM\​SYSTEM\​CurrentControlSet\​Services\​SharedAccess\​Parameters\​FirewallPolicy\​StandardProfile\​AuthorizedApplications\​List .

It stops the Windows Automatic Updates Service, preventing the user from getting the necessary updates, including the ones that ensure the security of the system. It also tries to stop msmpsvc.exe which belongs to Microsoft Malware Protection Service. 

It has the ability to send messages to contacts on the following instant messaging applications : Skype, Yahoo Messenger, AIM (AOL Instant Messenger).