1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Jnanabot Activity

System Infected: Jnanabot Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Jnanabot worm communicating and requesting information from its controlling server.

Additional Information

An unsuspecting user clicks on a malicious URL on a social networking site, resulting in the downloading of a dropper file. This file then drops and launches the main component of the threat, that is jnana.tsa, which is a .jar file. This file contains many encrypted class files. Cplib_x86_win module is used to encrypt and decrypt those class files. This component has the ability to control all the other components of the threat.

The main component then downloads the installer/updater component and the Keylogging component.

Affected

  • Windows Platforms, Mac OS X

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube