Home / malware

PDF

Trojan.Downloader.JLPK

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Downloader.JLPK is also known as EXP/XMLSPAN.B, (Avira.

Explanation :

This is a downloader written in Java Script, and it is part of a larger malware infection. The detection name stands for the actual exploit code that gets injected into the attacked process.
When it's executed, the exploit will first decrypt its encrypted body. Then, it will start locating the addresses of several API functions that are needed for its operations. It has a routine that checks before every API call if that function is hooked (first opcode is 0xE9 - jmp or 0xE8 - call) and if the attacked process is being debugged, in which case, it will simply refuse to continue execution in order to avoid reverse engineering and detection.
It will then download another malware, that, once executed by the exploit, will drop and execute 2 more malware files inside the %temp% folder (usually c:documents and settingsuser-namelocal settings emp).

Last update 21 November 2011

 

TOP