Tuesday, July 20, 2010

Jovana

Haven't blogged for a very long time. Guess I was too busy. And because of the change of environment this year.

Infected by a virus last week. Not sure how it happened. But it came from a handy drive. Called it the Jovana virus.
Because it creates a recycler folder called Jovana in each drive.

C:\documents and settings\administrator\application data\yjty.exe
C:\Documents and Settings\Administrator\csrss.exe

I tried to delete these file but the the process was still running. Killing it Process Explorer was also fruitless.
Then I tried Unlocker. Only then I was able to delete the file. Need to find the program.


Here is the content of the autorun file.
"sêË×ÄÑÀÊÄêÎ׊ÄÌäêëàñ×ÄÊËŒŠ×ÄÊËœš÷L?DAdlq?dw?nmkslakdl?l?wqdw?ÝÆÂÁôûÄâëáÝÆÖÁÂüëàñäæôûñüáìäæüæËÄÌÜÎÄÙÆËÛÂÕÙÖËâàëâôäæüñûôäÆÑüáûôäÆÑÜÁÔÛÄÑËÁÇÂÖÆÜâÖÆÄÉüáâæâÆÄËÎÛÔÆâëÆÔÜÛÄÆüáñÄÆëáâ÷ÙÂËÖÆüâÖÄÆëâëáÔÛÄÆìüáäæÛÔÌÁÔÛÄÆÁ×üëôÙÖÌÜÎÖÆÌÒÔÖÙÂËÔÆôûüÄÆÌÀÔÛËÂÝÆËÄÖÉÂÖÒÉàîÀÆö
open=JOVANA/pojatar.exe
action=Open folder to view files using Windows Explorer
icon=JOVANA/pojatar.exe
Shell\open\command=JOVANA/pojatar.exe
shell\open\command=JOVANA/pojatar.exe
USEAUTOPLAY=1

Then it created a lot of processes in the temp folder.
It also modifies the registry by creating a few startup entries.
Here is one of the entry created:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"Shell"="explorer.exe,C:\\Documents"
The rest I forgot cause I deleted them as soon as it came out.
If the process is still alive, it will create all the entries into the registry. Only after I killed it that I was able to fully stop it from modifying the registry.



This is taken from ThreatExpert.com
JOVANA.EXE has been seen to perform the following behavior:

Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This process creates other processes on disk
Executes Processes stored in Temporary Folders
This Process Deletes Other Processes From Disk
Executes a Process
Injects code into other processes
Copies files
JOVANA.EXE has been the subject of the following behavior:

Created as a process on disk
Executed from Temporary Folders
Has code inserted into its Virtual Memory space by other programs
Added as a Registry auto start to load Program on Boot up
Deleted as a process from disk
Terminated as a Process
Executed as a Process
Copied to multiple locations on the system
Posted by Chun at 11:45 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)