Win32/Joleee [Threat Name] go to Threat

Win32/Joleee.NG [Threat Variant Name]

Category	worm
Size	27649 B
Aliases	Trojan.Win32.Agent.bsja (Kaspersky)
	Trojan.Spammer.Tedroo (BitDefender)

Win32/Joleee.NG is a worm that is used for spam distribution.

When executed, the worm copies itself into the following location:

In order to be executed on system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "services" = "%systemroot%\services.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "services" = "%systemroot%\services.exe"

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "FirewallDisableNotify" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
- "Start" = 4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
- "Start" = 4
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile]
- "EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile]
- "EnableFirewall" = 0

After the installation is complete, the worm deletes the original executable file.

The worm creates the following files:

The following services are disabled:

The worm may set the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\services]
- "del" = %filepath%

The worm executes the following commands:

A string with variable content is used instead of %filepath% .

The worm checks for Internet connectivity by trying to connect to the following servers:

The worm acquires data and commands from a remote computer or the Internet.

The worm connects to some of the following IP addresses:

The HTTP protocol is used.

The worm can be used for sending spam.