Win32/Joleee [Threat Name] go to Threat

Win32/Joleee.NG [Threat Variant Name]

Category worm
Size 27649 B
Aliases Trojan.Win32.Agent.bsja (Kaspersky)
  Trojan.Spammer.Tedroo (BitDefender)
Short description

Win32/Joleee.NG is a worm that is used for spam distribution.


When executed, the worm copies itself into the following location:

  • %systemroot%\­Services.exe

In order to be executed on system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "services" = "%systemroot%\­services.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "services" = "%systemroot%\­services.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "FirewallOverride" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "FirewallDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­Software\­Policies\­Microsoft\­WindowsFirewall\­DomainProfile]
    • "EnableFirewall" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Policies\­Microsoft\­WindowsFirewall\­StandardProfile]
    • "EnableFirewall" = 0

After the installation is complete, the worm deletes the original executable file.

Other information

The worm creates the following files:

  • %systemroot%\­file.bat
  • %systemroot%\­adobe.bat
  • %systemroot%\­_id.dat
  • file.bat

The following services are disabled:

  • wscsvc (Windows Security Center Service)
  • sharedaccess (Windows Firewall/Internet Connection Sharing)

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­services]
    • "del" = %filepath%

The worm executes the following commands:

  • netsh firewall add allowedprogram %filepath% allowed ENABLE
  • netsh firewall set opmode DISABLE

A string with variable content is used instead of %filepath% .

The worm checks for Internet connectivity by trying to connect to the following servers:


The worm acquires data and commands from a remote computer or the Internet.

The worm connects to some of the following IP addresses:


The HTTP protocol is used.

The worm can be used for sending spam.

Please enable Javascript to ensure correct displaying of this content and refresh this page.