Home / malwarePDF  

Trojan.Downloader.JIYC


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Downloader.JIYC is also known as Trojan.Inject.380 Backdoor.Win32.Agent.

Explanation :

When executed, the virus checks if it's Win32 NT platform and if it is not, just downloads file from:

http://xxx.xxx.xxx.xxx/[hash obtained from Computer name]

and executes it.

If it is on an NT platform, it copies itself into SystemRoot directory with a random generated name.
If Schedule service is stopped, it starts it and adds Scheduled Jobs which will start it every hour. The virus then scans Autorun registry keys and infects (.exe) programs found.

Infection consists in:making backup copy in the same directory, with same name but with .ex_ extension
increasing last section size, writing it's code theremodifying EntryPoint to point at virus code, returning to the original EntryPoint after execution of its own codecode written in infected file just executes the virus copied before in SystemRoot directory.

If the virus finds in memory a process named "zlclient.exe" it deletes itself.
Afterwards it injects a DLL file which is embedded in virus file into all processes with write access rights in the system, which does the same thing: injects itself into other processes and downloads and executes the file from the link above.

Then the virus downloads file from the link above and executes it.

If files infected by virus contains overlay, overlay data is corrupted by virus after infection.

Last update 21 November 2011

 

TOP