Virus:Win32/Jadtre.B is a detection for a virus that infects Windows executable files, modifies HTML files, spreads to computers across a network and via removable drives. The virus prevents Windows from starting in safe mode, attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files.
Installation
When executed, a Virus:Win32/Jadtre.B infected file drops and executes a copy of the virus body as the following:
%SystemDrive%\booter.exe
The dropped virus file "booter.exe" attempts to install itself as a system service DLL. It searches for a stopped system service from the following list:
Schedule
RemoteRegistry
helpsvc
CryptSvc
Themes
Browser
Tapisrv
Nla
Netman
SSDPSRV
upnphost
Ntmssvc
EventSystem
xmlprov
WmdmPmSN
FastUserSwitchingCompatibility
BITS
AppMgmt
If the virus does not find a stopped service from the above list, it attempts to stop one of the services. The virus disables Windows System File Checker (SFC) and replaces the stopped service with a copy of "booter.exe" as a DLL. The virus DLL may therefore be named as one of the following, depending on which service it replaces:
schedsvc.dll
regsvc.dll
pchsvc.dll
cryptsvc.dll
browser.dll
tapisrv.dll
mswsock.dll
netman.dll
ssdpsrv.dll
upnphost.dll
ntmssvc.dll
es.dll
xmlprov.dll
mspmsnsv.dll
shsvcs.dll
qmgr.dll
appmgmts.dll
Virus:Win32/Jadtre.B sets the replaced service as an autostart system service to make sure the virus DLL is loaded at each Windows start.
Spreads via…
File infection
Virus:Win32/Jadtre.B infects Windows executable files having a file extension of ".EXE". The virus can infect executables within .RAR archive container files.
Removable drives
Virus:Win32/Jadtre.B copies itself to removable drives as the following:
<drive:>\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\setup.exe
The virus then writes an Autorun configuration file named "autorun.inf" pointing to "setup.exe". When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically.
Network shares
Virus:Win32/Jadtre.B attempts to connect to network shares by using a built-in dictionary containing user names and passwords. After successfully connecting to the share, the virus drops a copy of the virus body in the share folder.
Payload
Modifies system settings
Virus:Win32/Jadtre.B deletes the following registry subkeys to prevent Windows from starting in safe mode or safe mode with network:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
Infect HTML files
Virus:Win32/Jadtre.B infects HTML files having the following file extensions:
.htm
.html
.asp
.aspx
The virus appends a JavaScript link to the domain "yy.web1000wip.com".
Downloads and executes arbitrary files
Virus:Win32/Jadtre.B connects to a remote host to download and execute arbitrary files in the infected computer. In the wild, Virus:Win32/Jadtre.B has been observed to contact the following domain for this purpose:
ad.ns5000wip.com
Analysis by Chun Feng
