JS_MAPPER.IOP

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This Trojan drops the following files:

• %User Startup%\winlogon.vbs

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\2
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\4
2500 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
IEHardenIENoWarn = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap
IEHarden = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Check_Associations = "no"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Ranges\Range12345
Range = "coffee.nukenin.com:80"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
ZoneMap\Ranges\Range12345
http = "2"

Other Details

This Trojan connects to the following possibly malicious URL:

• http://coffee.{BLOCKED}nin.com/asyn.aspx
• http://coffee{BLOCKED}enin.com/favicon.ico
• http://coffee.{BLOCKED}nin.com/index.html
• http://coffee.{BLOCKED}nin.com:80