Threat behavior
Virus:Win32/Jadtre.I is a detection for a virus that infects Windows executable files, and spreads to computers via network shares and removable drives. The virus attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files.
Installation
When executed, a Virus:Win32/Jadtre.I infected file drops and executes a copy of the virus body with a random name, which may be detected as Virus:Win32/Jadtre.gen!A.
The dropped virus file attempts to install itself as a Windows system service DLL. It searches for a stopped system service from the following list:
- Schedule
- RemoteRegistry
- helpsvc
- CryptSvc
- Themes
- Browser
- Tapisrv
- Nla
- Netman
- SSDPSRV
- upnphost
- Ntmssvc
- EventSystem
- xmlprov
- WmdmPmSN
- FastUserSwitchingCompatibility
- BITS
- AppMgmt
If the virus does not find a stopped service from the above list, it attempts to stop one of the services. The virus disables Windows System File Checker (SFC) and replaces the stopped service with a copy of the dropped virus body as a DLL. The virus DLL may therefore be named as one of the following, depending on which service it replaces:
- schedsvc.dll
- regsvc.dll
- pchsvc.dll
- cryptsvc.dll
- browser.dll
- tapisrv.dll
- mswsock.dll
- netman.dll
- ssdpsrv.dll
- upnphost.dll
- ntmssvc.dll
- es.dll
- xmlprov.dll
- mspmsnsv.dll
- shsvcs.dll
- qmgr.dll
- appmgmts.dll
Virus:Win32/Jadtre.I sets the replaced service as an autostart system service to make sure the virus DLL is loaded at each Windows start. Virus:Win32/Jadtre.I may also drop a device driver with a random filename as the following:
- <system folder>\drivers\<random>.sys (for example, <system folder>\drivers\55C03AF5.sys)
The dropped component may be detected as VirTool:WinNT/Jadtre.B.
Spreads via…
File infection
Virus:Win32/Jadtre.I infects Windows executable files that have a file extension of ".EXE". The virus can infect executables within .RAR archive container files.
Removable drives
Virus:Win32/Jadtre.I copies itself to removable drives as the following:
- <drive:>\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\setup.exe
The virus then writes an Autorun configuration file named "autorun.inf" pointing to "setup.exe". When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically.
Network shares
Virus:Win32/Jadtre.I attempts to connect to network shares by using a built-in dictionary containing user names and passwords. After successfully connecting to the share, the virus drops a copy of the virus body in the share folder.
Payload
Downloads and executes arbitrary files
Virus:Win32/Jadtre.I connects to a remote host to download and execute arbitrary files in the infected computer.
Modifies HOSTS file
Virus:Win32/Jadtre.I replaces the host file "<system folder>\drivers\etc\hosts" with an empty configuration in order to remove any previously blocked hosts.
Analysis by Chun Feng
Prevention
