How to Prevent and Remove the Trojan.Win32.Jorik.SdBot.fm

Bookmark and Share

 

1. What is the Trojan.Win32.Jorik.SdBot.fm

Trojan.Win32.Jorik.SdBot.fm is a malicious spyware virus which uses malignant tricks to download malicious malware from the Internet. Trojan.Win32.Jorik.SdBot.fm opens up firewalls and collects confidential information such as personal financial information. Trojan.Win32.Jorik.SdBot.fm also downloads additional components before the hackers get the remote access to the infected PC. Trojan.Win32.Jorik.SdBot.fm definitely has an identified security risk and you need to remove Trojan.Win32.Jorik.SdBot.fm immediately while you detect it.

Alias: , Malware.Yimfoca [PCTools], W32.Yimfoca [Symantec], Generic.dx!uij [McAfee], Mal/PushBot-A [Sophos], Backdoor:Win32/IRCbot [Microsoft], Trojan.Win32.Jorik [Ikarus], Win-Trojan/Seint.62464.M [AhnLab] 

 

2.Technical Details:

 

a. The following files were created in the system:

  • The following files were created in the system:

# Filename(s) File Size
1 %Windir%\mdlu.dl 2,256 bytes
2 %Windir%\nvsvc32.exe
[file and pathname of the sample #1] 		62,464 bytes
3 %Windir%\wintybrd.png 3,416 bytes
4 %Windir%\wintybrdf.jpg 3,968 bytes
  • Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

 

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
nvsvc32.exe %Windir%\nvsvc32.exe 3,137,536 bytes

  • The following system service was modified:

Service Name Display Name New Status Service Filename
wuauserv Automatic Updates "Stopped" %System%\svchost.exe -k netsvcs
  • Notes:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

c.  Registry Modifications

    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • NVIDIA driver monitor = "%Windir%\nvsvc32.exe"

        so that nvsvc32.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
        • NVIDIA driver monitor = "%Windir%\nvsvc32.exe"

        so that nvsvc32.exe runs every time Windows starts
         
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • NVIDIA driver monitor = "%Windir%\nvsvc32.exe"

        so that nvsvc32.exe runs every time Windows starts
      • List =

  • d. Other details

    • The following port was open in the system:

    Port Protocol Process
    1061 TCP nvsvc32.exe (%Windir%\nvsvc32.exe)
    1062 TCP nvsvc32.exe (%Windir%\nvsvc32.exe)
    1063 TCP nvsvc32.exe (%Windir%\nvsvc32.exe)

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    174.37.200.82 80
    216.178.39.11 80
    63.135.80.224 80
    64.211.162.72 80
    66.220.158.11 80
    64.202.107.109 1234

    • The data identified by the following URLs was then requested from the remote web server:

      • http://174.37.200.82/index.php
      • http://www.myspace.com/browse/people
      • http://www.myspace.com/help/browserunsupported
      • http://browseusers.myspace.com/Browse/Browse.aspx
      • http://x.myspacecdn.com/images/BrowserUpgrade/bg_infobox.jpg
      • http://x.myspacecdn.com/modules/splash/static/img/cornersSheet.png
      • http://x.myspacecdn.com/images/BrowserUpgrade/icon_information.gif
      • http://x.myspacecdn.com/images/BrowserUpgrade/bg_browserSection.jpg
      • http://x.myspacecdn.com/images/BrowserUpgrade/browserLogos_med.jpg
      • http://www.facebook.com/home.php
      • http://www.facebook.com/login.php

     

    3. How-to's

    a. How to prevent the  Trojan.Win32.Jorik.SdBot.fm ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan.Win32.Jorik.SdBot.fm Manually?

    Step 1 : Use Windows Task Manager to Remove Trojan.Win32.Jorik.SdBot.fm Processes

    nvsvc32.exe
     

    Step 2 : Use Registry Editor to Remove Trojan.Win32.Jorik.SdBot.fm Registry Values

    # [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    * NVIDIA driver monitor = "%Windir%\nvsvc32.exe"

    # [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
    * NVIDIA driver monitor = "%Windir%\nvsvc32.exe"

    Step3: Detect and Delete Other Trojan.Win32.Jorik.SdBot.fm Files

    %Windir%\mdlu.dl
    %Windir%\nvsvc32.exe
    [file and pathname of the sample #1]
    %Windir%\wintybrd.png
    %Windir%\wintybrdf.jpg
     

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•