Virus:Win32/Jadtre.E

Virus:Win32/Jadtre.E is a detection for a virus that infects Windows executable files, and spreads to computers via network shares and removable drives. The virus attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files.

When executed, a Virus:Win32/Jadtre.E infected file drops and executes a copy of the virus body as the following:
 
c:\cmt.exe
 
The dropped virus file "cmt.exe" attempts to install itself as a Windows system service DLL. It searches for a stopped system service from the following list:
 
Schedule
RemoteRegistry
helpsvc
CryptSvc
Themes
Browser
Tapisrv
Nla
Netman
SSDPSRV
upnphost
Ntmssvc
EventSystem
xmlprov
WmdmPmSN
FastUserSwitchingCompatibility
BITS
AppMgmt
 
If the virus does not find a stopped service from the above list, it attempts to stop one of the services. The virus disables Windows System File Checker (SFC) and replaces the stopped service with a copy of "cmt.exe" as a DLL. The virus DLL may therefore be named as one of the following, depending on which service it replaces: 
 
schedsvc.dll
regsvc.dll
pchsvc.dll
cryptsvc.dll
browser.dll
tapisrv.dll
mswsock.dll
netman.dll
ssdpsrv.dll
upnphost.dll
ntmssvc.dll
es.dll
xmlprov.dll
mspmsnsv.dll
shsvcs.dll
qmgr.dll
appmgmts.dll
 
Virus:Win32/Jadtre.E sets the replaced service as an autostart system service to make sure the virus DLL is loaded at each Windows start. Virus:Win32/Jadtre.E may also drops a device driver with random filename as the following:

 

<system folder>\drivers\<random>.sys (e.g. 682E4E5E.sys)

 

The dropped component may be detected as VirTool:WinNT/Jadtre.B.

Virus:Win32/Jadtre.E infects Windows executable files having a file extension of ".EXE". The virus can infect executables within .RAR archive container files. 

 

Virus:Win32/Jadtre.E copies itself to removable drives as the following:
 
<drive:>\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\setup.exe
 
The virus then writes an Autorun configuration file named "autorun.inf" pointing to "setup.exe". When the drive is accessed from a computer supporting the Autorun feature, the virus is launched automatically. 

 

Virus:Win32/Jadtre.E attempts to connect to network shares by using a built-in dictionary containing user names and passwords. After successfully connecting to the share, the virus drops a copy of the virus body in the share folder.

Virus:Win32/Jadtre.E connects to a remote host to download and execute arbitrary files in the infected computer.

 

Virus:Win32/Jadtre.E replaces the host file "<system folder>\drivers\etc\hosts" with an empty configuration in order to remove any previously blocked hosts.