TROJ_JORIK.NES

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following component file(s):

• %Application Data%\DCap.exe - detected as TROJ_JORK.NES
• %System Root%\config\1.exe - detected as TROJ_JORK.NES
• %System Root%\config\2.exe - detected as TSPY_BANKER.ZZQ
• %Application Data%\{current date}.txt (in format mm.dd.yyyy)
• %Application Data%\arquivo.txt
• %Application Data%\new.txt
• %Application Data%\SETUP19.txt

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\config

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It injects threads into the following normal process(es):

• csrss.exe
• lsass.exe
• svchost.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
DCap = "%Application Data%\DCap.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
%System Root%\config\1.exe = "%System Root%\config\1.exe"

Other System Modifications

This Trojan also creates the following registry entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorAdmin = "0"

Dropping Routine

This Trojan executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

Download Routine

This Trojan connects to the following URL(s) to download its component file(s):

• http://www.{BLOCKED}u.com//piwik/libs/{random 1 character}.jpg - inaccessible
• http://www.{BLOCKED}ulo.es/{random 1 character}.jpg - detected as TROJ_JORIK.NES
• http://publicad.{BLOCKED}u.ac.th/php/libmysql.dll - non-malicious component
• http://phdph.{BLOCKED}u.ac.th//L10Apps/6.inf - non-malicious component

It saves the files it downloads using the following names:

• %Application Data%\libmysql.dll
• %Application Data%\{random 1 character}.jpg

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Other Details

This Trojan connects to the following time servers to determine the current date:

• http://realtime.services.disqus.com