Home / malware Trojan.Downloader.JJRL
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Downloader.JJRL is also known as Trojan-Downloader.Win32.PurityScan.fk, (KAV.
Explanation :
The trojan copies itself at locations like "%FOLDER_1%\%FOLDER_2%\%TROJAN_NAME%" where
%FOLDER_1% is one of following: Windows, Program Files, My Documents
%FOLDER_2%: Oracle, Symantec, Adobe, Microsoft, Microsoft.NET, Drivers, WinSxS ,Tasks, system32, system, symbols, security, Fonts, assembly, AppPatch
the Trojan will modify a character from above names to a look-like non-ascii character
%TROJAN_NAME%: randomly chosen from list:
regsvr32, regedit, tracert,nslookup, mshta, nopdb, winword, ati2evxx, spool32, msconfig, userinit, netdde, scanregw, wucrtupd, wuauboot, wuauclt, wuaclt, rundll,dexplore,iexplore, notepad, msdtc, javaw, ntvdm, wowexec, winspool, taskmgr, rundll32, msiexec, logonui, dvdplay, dllhost, chkdsk, chkntfs, attrib, winlogon, spoolsv, services, lsass, csrss, svchost, explorer
In order to execute itself at each system startup, the following registri key is created
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"Otla"=""%PATH_TO_TROJAN%" -vt ndrv" where %PATH_TO_TROJAN% is the path to the copy above created
Tries to download in %TEMP% directory a file named 'ctxad.exe' from http://outerinfo.com and, on succesful, it will exectute this file. The file is also detected by BitDefender as malware.Last update 21 November 2011