Win32/Jolise [Threat Name] go to Threat

Win32/Jolise.A [Threat Variant Name]

Category trojan
Size 2457088 B
Detection created Jan 26, 2011
Detection database version 5821
Aliases Trojan.Win32.Genome.wlsy (Kaspersky)
  Trojan:Win32/Bumat!rts (Microsoft)
Short description

Win32/Jolise.A is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.

Installation

The trojan is usually bundled within installation packages of various legitimate software.


When executed, the trojan creates the following files:

  • %temp%\­%variable1%\­ENGLIS~1.EXE  (3323320 B)
  • %temp%\­%variable1%\­INSTTO~1.EXE (262144 B, Win32/Jolise.A)

The files are then executed.


The trojan creates the following file:

  • %temp%\­NP%variable2%.tmp

A string with variable content is used instead of %variable1-2% .


The trojan executes the following command:

  • rundll32.exe "%temp%\­NP%variable2%.tmp",InstallHook

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ninja" = "rundll32.exe "%temp%\­NP%variable2%.tmp",InstallHook"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ninja" = "rundll32.exe "%temp%\­NP%variable2%.tmp",InstallHook"

Libraries with the following names are injected into all running processes:

  • %temp%\­NP%variable2%.tmp
Information stealing

The following information is collected:

  • disk serial number (without spaces)

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • modify website content
  • modify network traffic
  • send gathered information

The trojan hooks the following Windows APIs:

  • connect (ws2_32.dll)

The trojan monitors network traffic on the following ports:

  • 80
  • 81
  • 1234
  • 3128
  • 6666
  • 8000-8080

The trojan affects the behavior of the following applications:

  • AOL Explorer
  • Avant Browser
  • Flock
  • Google Chrome
  • Internet Explorer
  • Maxthon Web Browser
  • Mozilla Browser
  • Mozilla Firefox
  • Navigateur Orange
  • Netscape Navigator
  • Opera
  • Safari Web Browser
  • Yahoo! Browser

Please enable Javascript to ensure correct displaying of this content and refresh this page.