Virus:Worm/Juske.B
Date discovered:29/07/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:103.424 Bytes
MD5 checksum:6ed4fd27f5c6f0a3a928f03f7286584c
IVDF version:7.10.09.249 - Wednesday, July 28, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.Yimfoca
   •  Kaspersky: Trojan.Win32.Jorik.SdBot.aq
   •  TrendMicro: WORM_YIMBOT.AL
   •  F-Secure: P2P-Worm:W32/Palevo.CX
   •  Sophos: Troj/Agent-OCT
   •  Bitdefender: Worm.P2P.Palevo.FX
   •  Microsoft: Trojan:Win32/Ircbrute
   •  PCTools: Worm.Palevo
   •  VirusBuster: Trojan.Ircbrute.BKE
   •  Eset: IRC/SdBot
   •  GData: Worm.P2P.Palevo.FX
   •  AhnLab: Win32/Palevo.worm.103424.JD
   •  DrWeb: Trojan.DownLoader1.16171
   •  Fortinet: W32/Agent.59AD!tr
   •  Ikarus: Trojan.Win32.Jorik


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\jusched.exe



The following files are created:

%WINDIR%\mdll.dl This is a non malicious text file that contains information about the program itself.
%WINDIR%\wintybrd.png
%WINDIR%\wintybrdf.jpg

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Java developer Script Browse"="%WINDIR%\jusched.exe"

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Patrick Schoenherr on Friday, July 30, 2010
Description updated by Patrick Schoenherr on Monday, August 2, 2010

Back . . . .