Content
W32/Jambu.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 04/20/2007
- Length
- ~54kb
- Minimum DAT
- 5015 (04/23/2007)
- Updated DAT
- 5015 (04/23/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 04/22/2007
- Description Modified
- 04/22/2007 11:15 PM (PT)
Tab Navigation
Characteristics
When executed, this worm displays the following error message:
It drops the following files:
- %Windir%\system\Flash Player.exe
- %System%\6666.com
- %System%\Flash_8_Player.exe
- %System%\w32sys.exe
- Documents and Settings\All Users\Start Menu\Programs\Startup\(Empty).empty
- Documents and Settings\All Users\Start Menu\Flash Games.exe
- Program Files\Common Files\Microsoft Shared\Dao\Avrsys.exe
- Program Files\Common Files\Microsoft Shared\Msn.msn
The worm then scans for any removable devices attached and for open network shares,
and copies itself into the folders found.
Note:
- %System% is a variable location and refers to the windows system directory
- The dropped files may have their attributes changed to hidden/system files
It modifies the following registry entires to run at system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Macromedia 8" = "%System%\Flash Player.exe"
"W32SYS" = "%System%\w32sys.exe"
"MSN Setup" = "C:\Program Files\Common Files\Microsoft Shared\MSN.msn" - HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = "Explorer.exe "%System%\6666.com""
In an attempt to hide its presence in the machine, the worm then modifies the following windows explorer settings
in the registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"ShowSuperHidden" = "0"
"HideFileExt" = "1"
"Hidden" = "0" - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
"NoFolderOptions" = "1"
"NoFind" = "1"
"NoRun" = "1"
"NoFolderOptions" = "1"
"DisableRegistryTools" = "1" - HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
"DisableCMD" = "2"
Symptoms
- Fake error message as mentioned earlier being displayed when executed
- Presence of the files/Registry keys mentioned above
- Inability to change the Windows folder options
Method of Infection
This worm copies itself to exisiting network folders.
It also copies itself to removable devices along with autorun.inf file, with the following contents:
Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution of the worm.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
This detection is for a worm which is capable of spreading through removable devices and network shares and modifies various windows explorer settings.
The characteristics of this worm, with regard to file names, folders created etc, will differ from one variant to another. Hence, this is a general description.
Aliases:
W32.Jambu (Symantec)
W32/Jambu-A (Sophos)
Characteristics
Characteristics -
When executed, this worm displays the following error message:
It drops the following files:
- %Windir%\system\Flash Player.exe
- %System%\6666.com
- %System%\Flash_8_Player.exe
- %System%\w32sys.exe
- Documents and Settings\All Users\Start Menu\Programs\Startup\(Empty).empty
- Documents and Settings\All Users\Start Menu\Flash Games.exe
- Program Files\Common Files\Microsoft Shared\Dao\Avrsys.exe
- Program Files\Common Files\Microsoft Shared\Msn.msn
The worm then scans for any removable devices attached and for open network shares,
and copies itself into the folders found.
Note:
- %System% is a variable location and refers to the windows system directory
- The dropped files may have their attributes changed to hidden/system files
It modifies the following registry entires to run at system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Macromedia 8" = "%System%\Flash Player.exe"
"W32SYS" = "%System%\w32sys.exe"
"MSN Setup" = "C:\Program Files\Common Files\Microsoft Shared\MSN.msn" - HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = "Explorer.exe "%System%\6666.com""
In an attempt to hide its presence in the machine, the worm then modifies the following windows explorer settings
in the registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"ShowSuperHidden" = "0"
"HideFileExt" = "1"
"Hidden" = "0" - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
"NoFolderOptions" = "1"
"NoFind" = "1"
"NoRun" = "1"
"NoFolderOptions" = "1"
"DisableRegistryTools" = "1" - HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
"DisableCMD" = "2"
Symptoms
Symptoms -
- Fake error message as mentioned earlier being displayed when executed
- Presence of the files/Registry keys mentioned above
- Inability to change the Windows folder options
Method of Infection
Method of Infection -
This worm copies itself to exisiting network folders.
It also copies itself to removable devices along with autorun.inf file, with the following contents:
Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution of the worm.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
