Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > J

Threat Encyclopaedia

Print this pageSend

Win32/Joleee.NG

Aliases:Trojan.Win32.Agent.bsja (Kaspersky), Trojan.Spammer.Tedroo (BitDefender) 
Type of infiltration:Worm  
Size:27649 B 
Affected platforms:Microsoft Windows 
Signature database version:3882 (20090223) 

Short description

Win32/Joleee.NG is a worm that is used for spam distribution.

Installation

When executed, the worm copies itself into the following location:
  • %systemroot%\Services.exe
In order to be executed on system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "services" = "%systemroot%\services.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "services" = "%systemroot%\services.exe"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallOverride" = 0
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess]
    "Start" = 4
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallOverride" = 0
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess]
    "Start" = 4
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    wscsvc]
    "Start" = 4
  • [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\
    DomainProfile]
    "EnableFirewall" = 0
  • [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\
    StandardProfile]
    "EnableFirewall" = 0
After the installation is complete, the worm deletes the original executable file.

Other information

The worm creates the following files:
  • %systemroot%\file.bat
  • %systemroot%\adobe.bat
  • %systemroot%\_id.dat
  • file.bat
The following services are disabled:
  • wscsvc (Windows Security Center Service)
  • sharedaccess (Windows Firewall/Internet Connection Sharing)
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    services]
    "del" = %filepath%
The worm executes the following commands:
  • netsh firewall add allowedprogram %filepath% allowed ENABLE
  • netsh firewall set opmode DISABLE
A string with variable content is used instead of %filepath%.

The worm checks for Internet connectivity by trying to connect to the following servers:
  • hotmail.com
  • yahoo.com
  • aol.com
  • google.com
  • mail.com
The worm is sent data and commands from a remote computer or the Internet.

The worm connects to some of the following IP addresses:
  • 66.232.126.138
  • 66.232.126.195
  • 91.207.4.122
The HTTP protocol is used.

The worm can be used for sending spam.