Home / malware Virus:Win32/Jadtre.E
First posted on 18 June 2010.
Source: SecurityHomeAliases :
Virus:Win32/Jadtre.E is also known as Win32/Wapomi.A (CA), Trojan.Starter.1410 (Dr.Web), Virus.Win32.Jadtre (Ikarus), Trojan-Downloader.Win32.Agent.dryb (Kaspersky), W32/Fujacks.be (McAfee), W32/Pikorms.G (Norman), W32/Bototer.B (Panda), Win32.Cmt.b (Rising AV), Mal/EncPk-ND (Sophos), W32/Wapomi!inf (Symantec), PE_DOWN.A (Trend Micro).
Explanation :
Virus:Win32/Jadtre.E is a detection for a virus that infects Windows executable files, and spreads to computers via network shares and removable drives. The virus attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files.
Top
Virus:Win32/Jadtre.E is a detection for a virus that infects Windows executable files, and spreads to computers via network shares and removable drives. The virus attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files. InstallationWhen executed, a Virus:Win32/Jadtre.E infected file drops and executes a copy of the virus body as the following:
c:\cmt.exe
The dropped virus file "cmt.exe" attempts to install itself as a Windows system service DLL. It searches for a stopped system service from the following list:
Schedule
RemoteRegistry
helpsvc
CryptSvc
Themes
Browser
Tapisrv
Nla
Netman
SSDPSRV
upnphost
Ntmssvc
EventSystem
xmlprov
WmdmPmSN
FastUserSwitchingCompatibility
BITS
AppMgmt
If the virus does not find a stopped service from the above list, it attempts to stop one of the services. The virus disables Windows System File Checker (SFC) and replaces the stopped service with a copy of "cmt.exe" as a DLL. The virus DLL may therefore be named as one of the following, depending on which service it replaces:
schedsvc.dll
regsvc.dll
pchsvc.dll
cryptsvc.dll
browser.dll
tapisrv.dll
mswsock.dll
netman.dll
ssdpsrv.dll
upnphost.dll
ntmssvc.dll
es.dll
xmlprov.dll
mspmsnsv.dll
shsvcs.dll
qmgr.dll
appmgmts.dll
Virus:Win32/Jadtre.E sets the replaced service as an autostart system service to make sure the virus DLL is loaded at each Windows start. Virus:Win32/Jadtre.E may also drops a device driver with random filename as the following: <system folder>\drivers\<random>.sys (e.g. 682E4E5E.sys) The dropped component may be detected as VirTool:WinNT/Jadtre.B. Spreads via€¦ File infection Virus:Win32/Jadtre.E infects Windows executable files having a file extension of ".EXE". The virus can infect executables within .RAR archive container files. Removable drives Virus:Win32/Jadtre.E copies itself to removable drives as the following:
<drive:>\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\setup.exe
The virus then writes an Autorun configuration file named "autorun.inf" pointing to "setup.exe". When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically. Network shares Virus:Win32/Jadtre.E attempts to connect to network shares by using a built-in dictionary containing user names and passwords. After successfully connecting to the share, the virus drops a copy of the virus body in the share folder. Payload Downloads and executes arbitrary files Virus:Win32/Jadtre.E connects to a remote host to download and execute arbitrary files in the infected computer. Modifies HOSTS fileVirus:Win32/Jadtre.E replaces the host file "<system folder>\drivers\etc\hosts" with an empty configuration in order to remove any previously blocked hosts.
Analysis by Chun FengLast update 18 June 2010
