W32/Jambu-A is a mass mailer for the Windows platform that also targets peer-to-peer file sharing networks and local shares.
W32/Jambu-A is a mass mailer for the Windows platform that also targets peer-to-peer file sharing networks and local shares.
W32/Jambu-A may arrive via email with variable subjects, messages and attachment names.
When executed W32/Jambu-A copies itself to the following locations:
<System>\w32sys.exe
<System>\Flash_8_Player.exe
<System>\6666.com
<System>\Flash Player.exe
<Shared>\MSN.msn
<Shared>\AVRSYS.EXE
<Start>\Flash Games.exe
<Start>\<random>.exe
W32/Jambu-A also spreads via removeable shared drives by creating the file autorun.inf and a copy of the worm to Macromedia_Setup.exe on the removeable drive. The file autorun.inf is subsequently set to run the worm component upon connecting the removeable drive to another computer.
The following registry entries are created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
W32SYS
<System>\w32sys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Macromedia 8
<System>\Flash Player.exe
Registry entries are modified under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Microsoft\Windows\System
DisableCMD
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
Shell
Explorer.exe"<System>\6666.com