JAVA_ADWIND.MWT
RDN/BackDoor-Adwind!a (McAfee); a variant of Java/Adwind.H trojan (Nod32); Trojan.Java.Agent.dh (Kaspersky); Java/Adwind.B (exact) (Fprot)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This backdoor drops the following files:
- %Application Data%\FolderName\Desktop.ini
- %Application Data%\localhost\Desktop.ini
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %Application Data%\FolderName\Jargreg.wYD
- %Application Data%\localhost\jvar.jar.ZrP
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It creates the following folders:
- %Application Data%\FolderName
- %Application Data%\localhost
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Autostart Technique
This backdoor creates the following registry entries to enable automatic execution of dropped component at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
RegistryName = ""{Java installation folder}\javaw.exe" -jar "%Application Data%\FolderName\Jargreg.wYD""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
localhost.ini = ""{Java installation folder}\javaw.exe" -jar "%Application Data%\localhost\jvar.jar.ZrP""
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.249.250:1505
- {BLOCKED}.{BLOCKED}.105.166:3334