W32/Jambu-A

Please follow the instructions for removing worms.

W32/Jambu-A is a mass mailer for the Windows platform that also targets peer-to-peer file sharing networks and local shares.

W32/Jambu-A is a mass mailer for the Windows platform that also targets peer-to-peer file sharing networks and local shares.

W32/Jambu-A may arrive via email with variable subjects, messages and attachment names.
  
When executed W32/Jambu-A copies itself to the following locations:

<System>\w32sys.exe
<System>\Flash_8_Player.exe
<System>\6666.com
<System>\Flash Player.exe
<Shared>\MSN.msn
<Shared>\AVRSYS.EXE
<Start>\Flash Games.exe
<Start>\<random>.exe

W32/Jambu-A also spreads via removeable shared drives by creating the file autorun.inf and a copy of the worm to Macromedia_Setup.exe on the removeable drive. The file autorun.inf is subsequently set to run the worm component upon connecting the removeable drive to another computer.

The following registry entries are created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
W32SYS
<System>\w32sys.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Macromedia 8
<System>\Flash Player.exe

Registry entries are modified under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Microsoft\Windows\System
DisableCMD
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
Shell
Explorer.exe"<System>\6666.com