Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Jorik.SdBot.I
Date discovered:29/06/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:73.216 Bytes
MD5 checksum:9acab14ac79cb554e8a62261982ca896
IVDF version:7.10.08.213 - Tuesday, June 29, 2010

 General Aliases:
   •  Bitdefender: Worm.P2P.Palevo.FM
   •  Panda: W32/MailWorm.P.worm
   •  Eset: IRC/SdBot


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Third party control
   • Lowers security settings
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\jusched.exe
   • %WINDIR%\jusched.exb



It deletes the initially executed copy of itself.




It tries to download a file:

The location is the following:
   • http://browseusers.myspace.com/Browse/**********




It tries to execute the following files:

Filename:
   • net stop MsMpSvc


Filename:
   • net1 stop MsMpSvc


Filename:
   • netsh firewall add allowedprogram 1.exe 1 ENABLE


Filename:
   • "%WINDIR%\jusched.exe"


Filename:
   • explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx


Filename:
   • %WINDIR%\jusched.exe


Filename:
   • net stop wuauserv


Filename:
   • sc config wuauserv start= disabled


Filename:
   • net1 stop wuauserv

 Registry The following registry keys are added in order to run the processes after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"



It creates the following entry in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%executed file%"="%WINDIR%\jusched.exe:*:Enabled:Java
      developer Script Browse"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 202.157.17**********.20
Port: 2345
Channel: #!gf!
Nickname: NEW-[USA|00|P|%number%]

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, September 20, 2010
Description updated by Petre Galan on Monday, September 20, 2010

Back . . . .