Java/Adwind [Threat Name] go to Threat

Java/Adwind.V [Threat Variant Name]

Category trojan
Size 50954 B
Detection created Sep 03, 2014
Detection database version 10361
Aliases Java:Malware-gen (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using Allatori Java Obfuscator .

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %appdata%\­%variable1%\­%variable2%.%variable3% (Microsoft Windows)
  • %userhome%/%variable1%/%variable2%.%variable3% (Linux)
  • %userhome%/%variable1%/%variable2%.%variable3% (Mac OS)

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable4" = "%jrepath% -jar %malwarepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable4" = "%jrepath% -jar %malwarepath%"

A string with variable content is used instead of %variable1-4% .


The trojan may create the following files:

  • %userhome%/.config/autostart/%variable4%.desktop (Linux)
  • %userhome%/Library/LaunchAgents/com.%variable4%.plist (Mac OS)

This causes the trojan to be executed on every system start.

Information stealing

The trojan collects the following information:

  • network adapter information
  • computer IP address
  • user name
  • operating system version
  • memory status
  • country
  • malware version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. It tries to connect to the remote machine on port:

  • 87
  • 88

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • open a specific URL address
  • display a dialog window
  • uninstall itself

The trojan may create the following files:

  • %temp%\­%variable%.png
  • %temp%\­NetGator.vbs
  • %temp%\­Picture.png
  • %temp%\­UpdatingWindows.vbs
  • %temp%/Vabasas.sh

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.