TROJ_JORIK.GTV
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
TECHNICAL DETAILS
Varies
EXE
Yes
29 Sep 2011
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This Trojan drops and executes the following files:
- %User Temp%\hrYYMzbw.exe - detected as TROJ_JORIK.GTV
- %User Temp%\PsNbpVoYeDspj.exe - detected as TROJ_JORIK.GTV
- %User Temp%\{5randomchars}.exe - detected as TROJ_JORIK.GTV
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
It drops the following non-malicious files:
- %User Temp%\google.exe
- %User Temp%\teamwin.exe
- %Application Data%\25FEJUYXLR.exe
- %Application Data%\EQR2XYXBTC.exe
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Team = "%User Temp%\hrYYMzbw.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Google = "%User Temp%\PsNbpVoYeDspj.exe"