My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.Jampork.A

MEDIUM
LOW
~50kb
(Worm:Win32/Jampork.A; Worm/VB.FEF; Win32.VB.NHZ; WORM_VB.DVP)

Symptoms

- multiple instances of explorer.exe running
- presence of a file named explorer.exe in %SYSTEM32% folder

Note: explorer.exe is also the name of a legitimate file found in %WINDOWS% folder

Removal instructions:

Please let BitDefender delete the infected files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

     This is a worm written in Visual Basic that arrives on the computer under the name explorer.exe (via removable drives or it can be downloaded from the internet). If executed it will make a hidden copy of itself in %SYSTEM32% folder under explorer.exe then it will run the legitimate explorer.exe which will pop-up a Windows Explorer window as a trick to disguise itself.
     Then it will search for a file named wsctf.exe in the same forder from wich it was run. If found, a hidden copy of this file will be made in %SYSTEM32% folder.

     It will add/change the following registry keys in order to be loaded at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name = EXPLORER.EXE
Value = "EXPLORER.EXE"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name = wsctf.exe
Value = "wsctf.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name = Userinit
Value = "userinit.exe, EXPLORER.EXE"

    This worm will periodically search for onlinegames related applications running on the cumputer and terminate them. The targeted games are: Warcraft III, Counter-Strike, NFS Underground 2, Crazy Arcade, O2-JAM, PopKart Client,  YB_OnlineClient, legend of mir2, CTRacer Client, Audition, Fly for Fun, Online, QQGame

     It spreads itself by dropping copies of itself on every removable drive under the name explorer.exe and creating the associated autorun.inf file that will be executed when the drive will be accessed.

     This worm uses the version information of a legitimate explorer.exe as another attempt to disguise itself.