JAVA_BANLOAD.TNB
Trojan:Java/Adwind.F (Microsoft)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
98,227 bytes
19 Aug 2015
Arrival Details
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- %User Profile%\LZzglosoHNob\POFE2Pbb\{copy of files under Java Installation folder}
- %Windows%\t.txt
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It drops the following copies of itself into the affected system:
- %User Profile%\LZzglosoHNob\LZzglosoHNob\194BOhv0M0nb.U4hGC1b
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It creates the following folders:
- %User Profile%\LZzglosoHNob
- %User Profile%\LZzglosoHNob\b7PnlYR4bTiv
- %User Profile%\LZzglosoHNob\LZzglosoHNob
- %User Profile%\LZzglosoHNob\POFE2Pbb
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
PE9FI1EVfdbl = "%User Profile%\LZzglosoHNob\POFE2Pbb\bin\javaw.exe" -jar "%User Profile%\LZzglosoHNob\LZzglosoHNob\194BOhv0M0nb.U4hGC1b"
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.181.94