Virus:Win32/Jadtre.A is a detection for a virus that infects Windows executable files, modifies HTML files, spreads to computers across a network and via removable drives. The virus prevents Windows from starting in safe mode, attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files.
Installation
When executed, a Virus:Win32/Jadtre.A-infected file drops and executes a copy of the virus body as the following:
%TEMP%\ReInstall.exe
The dropped virus file "ReInstall.exe" attempts to install itself as a system service DLL. It searches for a stopped system service from the following list:
Schedule
RemoteRegistry
helpsvc
CryptSvc
Themes
Browser
Tapisrv
Nla
Netman
SSDPSRV
upnphost
Ntmssvc
EventSystem
xmlprov
WmdmPmSN
FastUserSwitchingCompatibility
BITS
AppMgmt
If the virus does not find a stopped service from the above list, it attempts to stop one of the services. The virus disables Windows System File Checker (SFC) and replaces the stopped service with a copy of "ReInstall.exe" as a DLL. The virus DLL may therefore be named as one of the following, depending on which service it replaces:
schedsvc.dll
regsvc.dll
pchsvc.dll
cryptsvc.dll
browser.dll
tapisrv.dll
mswsock.dll
netman.dll
ssdpsrv.dll
upnphost.dll
ntmssvc.dll
es.dll
xmlprov.dll
mspmsnsv.dll
shsvcs.dll
qmgr.dll
appmgmts.dll
Virus:Win32/Jadtre.A sets the replaced service as an autostart system service to make sure the virus DLL is loaded at each Windows start.
Spreads via…
File infection
Virus:Win32/Jadtre.A infects Windows executable files having a file extension of ".EXE". The virus can infect executables within .RAR archive container files.
Removable drives
Virus:Win32/Jadtre.A copies itself to removable drives as the following:
<drive:>\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\setup.exe
The virus then writes an Autorun configuration file named "autorun.inf" pointing to "setup.exe". When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically.
Network shares
Virus:Win32/Jadtre.A attempts to connect to network shares by using a built-in dictionary containing user names and passwords. After successfully connecting to the share, the virus drops a copy of the virus body in the share folder.
Payload
Modifies system settings
Virus:Win32/Jadtre.A deletes the following registry subkeys to prevent Windows from starting in safe mode or safe mode with network:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
Infect HTML files
Virus:Win32/Jadtre.A infects HTML files having the following file extensions:
.htm
.html
.asp
.aspx
The virus appends a JavaScript link to the domain "web.nba1001.net".
Connects to a remote server
Virus:win32/Jadtre.A launches Internet Explorer as a process and connects to a page named "mac.html" at the following domain using port 7777:
tj.nba1001.net
The site may be collecting data for statistical purposes.
Downloads and executes arbitrary files
Virus:Win32/Jadtre.A connects to a remote host to download and execute arbitrary files in the infected computer. In the wild, Virus:Win32/Jadtre.A has been observed to contact the following domain for this purpose:
up.nba1001.com
Analysis by Chun Feng
