How to Prevent and Remove the Trojan.Win32.Jorik.Lolbot.gx

Bookmark and Share

 

1. What is the Trojan.Win32.Jorik.Lolbot.gx

Trojan.Win32.Jorik.Lolbot.gx is usually a standalone program that drops different type of standalone Malware (Trojan, Worms and Backdoor) to Windows system. Trojan.Win32.Jorik.Lolbot.gx is an executable file that contains other files compressed inside its body.

Usually Trojan.Win32.Jorik.Lolbot.gx is created by special programs called "joiners". These programs allow to customize functionalities and to add as many files as needed into the package. Sometimes, Trojan.Win32.Jorik.Lolbot.gx components directly to memory and activate them there.


Alias: Generic.dx!uld [McAfee]; Worm:MSIL/Toshwire.A [Microsoft]; Virus.MSIL [Ikarus]

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %Temp%\google_cache204.tmp 9 bytes
2 %Temp%\msconfig.exe
%Temp%\svchost.exe
[file and pathname of the sample #1] 		122,880 bytes
  • Note:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
svchost.exe %Temp%\svchost.exe N/A
msconfig.exe %Temp%\msconfig.exe N/A

c.  Registry Modifications

  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • Security System = "%Temp%\svchost.exe"

      so that svchost.exe runs every time Windows starts
       
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • Security System = "%Temp%\svchost.exe"
      • Microsoft Configuration = "%Temp%\msconfig.exe"

      so that svchost.exe runs every time Windows starts
      so that msconfig.exe runs every time Windows starts

  • c. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    82.146.52.126 4567

     

    3. How-to's

    a. How to prevent the  Trojan.Win32.Jorik.Lolbot.gx ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan.Win32.Jorik.Lolbot.gx Manually?

    Step 1 : Use Windows Task Manager to Remove Trojan.Win32.Jorik.Lolbot.gx Processes

    msconfig.exe
    svchost.exe
     

    Step 2 : Use Registry Editor to Remove Trojan.Win32.Jorik.Lolbot.gx Registry Values
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Security System = "%Temp%\svchost.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    Security System = "%Temp%\svchost.exe"
    Microsoft Configuration = "%Temp%\msconfig.exe"

    Step3: Detect and Delete Other Trojan.Win32.Jorik.Lolbot.gx Files

    %Temp%\google_cache204.tmp
    %Temp%\msconfig.exe
    %Temp%\svchost.exe
    [file and pathname of the sample #1]
     

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•