Virus:BDS/Jtram.E
Date discovered:08/12/2005
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:62.464 Bytes
MD5 checksum:46E5CBF6377AE68557243414A28F7F11
VDF version:6.32.01.09

 Files It copies itself to the following location:
   • %SYSDIR%\mfm\msrll.exe



The following file is created:

– Non malicious file:
   • %SYSDIR%\mfm\jtrma.conf

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\mfm]
   • "Type"=dword:00000120
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000002
   • "ImagePath"="%SYSDIR%\mfm\msrll.exe"
   • "DisplayName"="Rll enhanced drive"
   • "ObjectName"="LocalSystem"

– [HKLM\SYSTEM\CurrentControlSet\Services\mfm\Security]
   • "Security"=%hex values%

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: stolen.zxy0.com
Port: 6667
Channel: #stolen
Nickname: %random character string%


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • disconnect from IRC server
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Restart system
    • Updates itself

 Backdoor The following port is opened:

%SYSDIR%\mfm\msrll.exe on TCP port 3000 in order to provide backdoor capabilities.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASPack

Description inserted by Andrei Gherman on Friday, December 9, 2005
Description updated by Oliver Auerbach on Friday, December 9, 2005

Back . . . .