Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Jorik.A
Date discovered:29/09/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:58.880 Bytes
MD5 checksum:08e2f9f6bfaab01036d290b44b3122c7
VDF version:7.10.05.118
IVDF version:7.10.12.84 - Wednesday, September 29, 2010

 General Methods of propagation:
   • Local network
   • Messenger


Aliases:
   •  Mcafee: W32/YahLover.worm
   •  Kaspersky: Trojan.Win32.Jorik.IRCbot.io
   •  TrendMicro: WORM_IRCBOT.ANA
   •  Sophos: Mal/PushBot-A
   •  Panda: W32/LoLbot.N.worm
   •  VirusBuster: Worm.Yimfoca!VfGiV1JD0h4
   •  Eset: Win32/Yimfoca.AA
   •  AhnLab: Win-Trojan/Seint.58880.B
   •  DrWeb: BackDoor.IRC.Bot.673
   •  Fortinet: W32/Jorik_IRCbot.IO!tr
   •  Ikarus: Trojan.Win32.Jorik


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops malicious files
   • Registry modification
   • Opens website in web browser
   • Steals information

 Files It copies itself to the following locations:
   • %TEMPDIR%\facebook-pic00005267.exe
   • %WINDIR%\nvsvc32.ext
   • %WINDIR%\nvsvc32.exe



It deletes the following file:
   • %WINDIR%\nvsvc32.ext



The following files are created:

– Non malicious files:
   • %WINDIR%\mdlu.dl
   • %WINDIR%\wintybrd.png
   • %WINDIR%\wintybrdf.jpg

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution
      directory%
\sample.exe"="%WINDIR%\nvsvc32.exe:*:Enabled:NVIDIA
      driver monitor"



The following registry key is changed:

– [HKLM\SYSTEM\ControlSet001\Services\wuauserv]
   New value:
   • "Start"=dword:00000004

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– Skype
– Yahoo Messenger


To:
All entries in the contact list.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: server.**********com
Port: 1234
Server password: xxx
Channel: #!nn!
Nickname: NEW-[USA|00|P|%several random digits% ]
Password: test

Server: 213-229-**********550.net
Port: 1234
Server password: xxx
Channel: #!nn!
Nickname: NEW-[USA|00|P|%several random digits% ]
Password: test



– This malware has the ability to collect and send information such as:
    • Information about the network
    • Username


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Start spreading routine
    • Terminate process

 Stealing – It uses a network sniffer that checks for the following strings:
   • cpa; lead; google; bing; yahoo; live; mail; microsoft; window;
      aricles; vidr; rush; porn; sex; tube; adult; gllo; xnxx; xvideos;
      kyarticl; lmsarchiv; rticleslo; fuck; afemo; fullarti; i24searc;
      article; kanaa; enthou; iggarti; virus; myspace; postart; perbizsear;
      m-new; cpalead; freeart; astmo; cpa; lead; outu; daddie; porn; gay;
      adobe; geshac

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • astro.ic.ac.uk
   • ale.pakibili.com
   • versatek.com
   • journalofaccountancy.com
   • transnationale.org
   • mas.0730ip.com
   • stayontime.info
   • www.shearman.com
   • ds.phoenix-cc.net
   • insidehighered.com
   • ate.lacoctelera.net
   • websitetrafficspy.com
   • qun.51.com
   • summer-uni-sw.eesp.ch
   • xxx.stopklatka.pl
   • unclefed.com
   • mcsp.lvengine.com
   • deirdremccloskey.org
   • journals.lww.com
   • middleastpost.org
   • mas.archivum.info
   • scribbidyscrubs.com
   • mas.mtime.com
   • ols.systemofadown.com
   • tripadvisor.com
   • mas.tguia.cl
Accesses internet resources:
   • http://174.37.2**********x.php
   • http://www.myspace.com/browse/people
   • http://www.myspace.com/help/browserunsupported
   • 174.37.200.82 : 80
   • 216.178.38.224 : 80
   • 63.135.80.46 : 80
   • 64.208.241.41 : 80
   • 69.63.181.15 80

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Alexandru Dinu on Wednesday, March 16, 2011
Description updated by Alexandru Dinu on Wednesday, March 16, 2011

Back . . . .