Win32/Joleee [Threat Name] go to Threat
Win32/Joleee.NG [Threat Variant Name]
Category | worm |
Size | 27649 B |
Aliases | Trojan.Win32.Agent.bsja (Kaspersky) |
Trojan.Spammer.Tedroo (BitDefender) |
Short description
Win32/Joleee.NG is a worm that is used for spam distribution.
Installation
When executed, the worm copies itself into the following location:
- %systemroot%\Services.exe
In order to be executed on system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "services" = "%systemroot%\services.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "services" = "%systemroot%\services.exe"
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "FirewallOverride" = 0
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "FirewallDisableNotify" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile]
- "EnableFirewall" = 0
- [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\StandardProfile]
- "EnableFirewall" = 0
After the installation is complete, the worm deletes the original executable file.
Other information
The worm creates the following files:
- %systemroot%\file.bat
- %systemroot%\adobe.bat
- %systemroot%\_id.dat
- file.bat
The following services are disabled:
- wscsvc (Windows Security Center Service)
- sharedaccess (Windows Firewall/Internet Connection Sharing)
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\services]
- "del" = %filepath%
The worm executes the following commands:
- netsh firewall add allowedprogram %filepath% allowed ENABLE
- netsh firewall set opmode DISABLE
A string with variable content is used instead of %filepath% .
The worm checks for Internet connectivity by trying to connect to the following servers:
- hotmail.com
- yahoo.com
- aol.com
- google.com
- mail.com
The worm acquires data and commands from a remote computer or the Internet.
The worm connects to some of the following IP addresses:
- 66.232.126.138
- 66.232.126.195
- 91.207.4.122
The HTTP protocol is used.
The worm can be used for sending spam.