Backdoor.Juasek Description

First observed in August of 2012, Backdoor.Juasek is a dangerous backdoor Trojan that can affect all versions of the Windows operating system, going as far back as Windows 95. Backdoor.Juasek is designed to enter a computer with the help of a Trojan dropper or social engineering scam and then establish a backdoor on the infected computer. The term ‘backdoor’ simply refers to an unauthorized opening in the infected computer’s security protection. Criminals can use this opening to install other malware on the infected computer or to steal data stored on the compromised computer. Although Backdoor.Juasek is relatively easy to remove with most anti-malware programs, Backdoor.Juasek does not cause overt symptoms, meaning that countless PC users may not be enlightened of Backdoor.Juasek’s presence on their computer. This is especially true if your security program(s) is not updated. To avoid becoming infected with Backdoor.Juasek, ESG security researchers recommend maintaining all your security programs up to date and being careful when downloading files or visiting unknown websites.

How Backdoor.Juasek Attacks a Computer

Backdoor.Juasek has two tasks: open a backdoor into the infected computer and send data to a remote host. Once Backdoor.Juasek is executed, Backdoor.Juasek will create a malicious DLL file with a random file name. This random file name will usually be generated by choosing from a list of names. Some examples of names for this malicious DLL file that ESG security researchers have observed include espdate, sparksrv, and spksrv. Then, Backdoor.Juasek makes changes to the Windows Registry that allows its files to run automatically when the infected computer starts up. To ensure that its malicious DLL file is accessed by other applications, Backdoor.Juasek finds a legitimate DLL file with the same name and replaces it with its own, corrupted version. Finally, the Backdoor.Juasek will connect to a remote server in order to receive configuration data, commands and to report on the infected computer’s status.

Malicious Actions that Backdoor.Juasek Can Carry Out on the Infected Computer

Although Backdoor.Juasek can install other malware threats on the infected computer, Backdoor.Juasek itself can carry out various malicious actions on the infected computer. These include the following:

• Backdoor.Juasek’s back door can be used to delete files on the infected computer.
• A criminal can use Backdoor.Juasek to access a command prompt and execute commands on the infected computer.
• Backdoor.Juasek can also be used to execute files and view data on the infected computer.

Type: Backdoors

How Can You Detect Backdoor.Juasek?

Backdoor.Juasek Removal Details

Backdoor.Juasek has typically the following processes in memory:

• %System%/[RANDOM FILE NAME].dll

Backdoor.Juasek creates the following files in the system:

• %System%/svsdll.log

Backdoor.Juasek creates the following registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMNET
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMNet\Security\”Security” = “[HEXADECIMAL CHARACTERS]”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\”WMNet” = “multi:”WMNet\00″”
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMNet

Important Article Disclaimer