TROJ_JORIK.CKO

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %System%\igfxnt86.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Intel Data Services = "%System%\igfxnt86.exe"

Other System Modifications

This Trojan adds the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers

It adds the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%System%\igfxnt86.exe = "DisableNXShowUI"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%System%\igfxnt86.exe = "%System%\igfxnt86.exe:*:Enabled:Intel Data Services"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\igfxnt86.exe = "%System%\igfxnt86.exe:*:Enabled:Intel Data Services"

Download Routine

This Trojan connects to the following malicious URLs:

• http://{BLOCKED}1.{BLOCKED}ackupsrv.su/net/5x2.zip