Email-Worm.Win32.Jalabed.A, W32/Jalabed-A, [email protected]
Category: Computer Worm
Active and Spreading
07 Jul 2006
This security threat is known for gathering email addresses stored in the target machine and sending a copy of its code to the addresses. The [email protected]
mass mailing worm is capable of spreading via mIRC. This worm is also known for searching network drives and copying itself to any drive it can locate in the infected machine. This malware has backdoor capabilities and can thwart access to websites that it deems security associated.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Once run in the infected computer system, this malware will create several files with varying file extensions such as .txt, .exe, .vbs, .txt.exe, and .doc.exe. It will then add a value to particular registry subkeys which will allow the worm to run whenever Windows starts up. The [email protected]
worm then goes on to create an IRC .ini script file. This file will cause mIRC to keep track of every IRC channel currently being used. In the event that a new user joins one of the channels being monitored by the worm, a copy of the worm’s dropped files will be sent to the user via DCC. If a user replies with a message that has the strings ‘virus, worm, infected, Virii and Antivirus’, the script file will try to terminate mIRC.
The [email protected]
worm also attempts to locate the transfer folder of KaZaa and copies itself in the same location. The filename it will use will come from a randomly generated list made by its remote author. It will also search the Windows Address book for contacts and then send its code as an attachment to all obtained email addresses. Next, it will try to find a specific HTML file and then attempt to overwrite it. The [email protected]
worm application copies itself on the Windows system folder of the computer. This system file has read-only and hidden file attributes. The program also makes modifications on the system’s registry. It adds a registry key which enables the application to run automatically at every Windows start-up.