Home / malware

PDF

Trojan.Downloader.JKIZ

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Downloader.JKIZ is also known as Trojan-Clicker.Win32.VB.bjk, TR/Click.VB.bjk, Win32/TrojanClicker.VB.BJK.

Explanation :

When the malware starts it creates files in the following locations:
%windir%system32debug.exe
%windir%system32driverseep.sys
random named files such as c:00F443C1000516

The file beep.sys is registered as a windows service; the following registry keys ar created:
HKLMSystemCurrentControlSetServicesBeepType
HKLMSystemCurrentControlSetServicesBeepStart
HKLMSystemCurrentControlSetServicesBeepImagePath
HKLMSystemCurrentControlSetServicesBeepDisplayName

The malware disables the task manager by creating the following registry key:
SoftWareMicrosoftWindows NTCurrentVersionImage File Execution Options askmgr.exe
Debugger ntsd -d

Similar registry keys are created in order to disable antivirus software too.

After this installation the original file deletes itself by creating and starting a .bat file created for this purpose.

The purpose of the malware is to download and run other malicious software on the user's machine. In order to do so, it downloads a list of url's from locations such as:
http://www.gucc?????prada.txt
http://www.ball??????prada.txt

The downloaded lists are located in random named files (c:00f60e91010983) and look like this:
36
http://0.0o-??????/zip1.exe
http://0.0o-??????/zip2.exe
http://0.0o-??????/zip3.exe
http://0.0o-??????/zip4.exe
.............

The files downloaded from these lists generally belong to the Trojan.PWS.OnlineGames family and are used to steal account information for certain online games.

Last update 21 November 2011

 

TOP