Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Joleee.exx
Date discovered:28/06/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:55.296 Bytes
MD5 checksum:5af1323345871b352f45e9ba9912b287
VDF version:7.10.03.193
IVDF version:7.10.08.211 - Monday, June 28, 2010

 General Method of propagation:
   • Email


Aliases:
   •  Sophos: Mal/FakeAV-CZ
   •  Bitdefender: Trojan.Generic.4374174
   •  Panda: Bck/Bredolab.AZ
   •  Eset: Win32/SpamTool.Tedroo.AF


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification

 Files It overwrites a file.
%WINDIR%\explorer.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"



The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   • "id"="%hex values%"
   • "remove"="%executed file%"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Attachment:

The attachment is a copy of the malware itself.

 Miscellaneous Accesses internet resources:
   • http://91.207.7.102/pics/**********
   • http://91.207.7.102:8103/pics/**********

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, January 13, 2011
Description updated by Petre Galan on Thursday, January 13, 2011

Back . . . .