Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Joleee.NG

Aliases:Trojan.Win32.Agent.bsja (Kaspersky), Trojan.Spammer.Tedroo (BitDefender) 
Type of infiltration:Worm  
Size:27649 B 
Affected platforms:Microsoft Windows 
Signature database version:3882 (20090223) 

Short description

Win32/Joleee.NG is a worm that is used for spam distribution.

Installation

When executed, the worm copies itself into the following location:
  • %systemroot%Services.exe
In order to be executed on system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "services" = "%systemroot%services.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "services" = "%systemroot%services.exe"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
    "FirewallOverride" = 0
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
    "FirewallDisableNotify" = 1
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccess]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
    "FirewallOverride" = 0
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
    "FirewallDisableNotify" = 1
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccess]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    wscsvc]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsFirewall
    DomainProfile]
    "EnableFirewall" = 0
  • [HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsFirewall
    StandardProfile]
    "EnableFirewall" = 0
After the installation is complete, the worm deletes the original executable file.

Other information

The worm creates the following files:
  • %systemroot%file.bat
  • %systemroot%adobe.bat
  • %systemroot%_id.dat
  • file.bat
The following services are disabled:
  • wscsvc (Windows Security Center Service)
  • sharedaccess (Windows Firewall/Internet Connection Sharing)
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    services]
    "del" = %filepath%
The worm executes the following commands:
  • netsh firewall add allowedprogram %filepath% allowed ENABLE
  • netsh firewall set opmode DISABLE
A string with variable content is used instead of %filepath%.

The worm checks for Internet connectivity by trying to connect to the following servers:
  • hotmail.com
  • yahoo.com
  • aol.com
  • google.com
  • mail.com
The worm is sent data and commands from a remote computer or the Internet.

The worm connects to some of the following IP addresses:
  • 66.232.126.138
  • 66.232.126.195
  • 91.207.4.122
The HTTP protocol is used.

The worm can be used for sending spam.