Trojan.JAVA.Adwind

General Explanation

Type: Trojan

Degree of destruction: average

Prevalence: average

What is a Trojan?

Trojans are malware that revealed themselves in the format of an applicable and useful tool. Accordingly, the user downloads and installs them and infects the system without noticing that it is malware. Trojans, usually after installation, act as a backdoor so the hacker can remotely access the victim’s system. For instance, the malware we will analyze here seems to do an applicable and useful job, but it will install an unwanted application on the system.

What is Adwind malware?

Adwind Trojan distributed by using Java instructions and in form of JAR files is able to steal user’s information. Attackers use this malware for collecting and extracting system data as well as remote control of the infected system. Data that this malware will be collected from the victim’s system which is generally from input/output devices such as a keyboard, mouse, and monitor, and is able to secrete user’s data and interface user’s access to data.

Technical Explanation

Signs of infection

  • Creating files with exe and java.exe titles in the following path:

"Appdata%\Oracle\bin%"

  • Defining Debugger value in the registry for the systematic applications which result in the user being unable to use it. This value defines the following path by adjusting the exe value as Debugger:

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"

  • Disabling Taskmanager tool of Windows by setting the value for DisableTaskMgr in the following path:

"SOFTWARE\Policies\Microsoft\Windows NT\\SystemRestore"

value name: DisableConfig

data: 1

"SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"

value name: DisableSR

data: 1

  • Adjusting the following value in the registry;

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"

valueName: ConsentPromptBehaviorAdmin

data: 0

This option let the malware perform an operation without admin validation.

  • Creating a folder named JAVA in system drivers and transferring files with a special extension (such as image files, documentation and etc.) into the mentioned folder and secreting it. This causes the user’s data to hide out of the user’s sight and believed they’re gone.

How to deal with it and disinfect the system

Padvish antivirus will detect and delete this malware. To prevent entering these kinds of malware into the system, it is recommended to avoid clicking on suspicious links and scan all attached files in emails. Also, always keep your OS and antivirus up to date, if possible.

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>