WORM_JER.A
With multiple aliases and the ability to infect Windows systems from 98 to Server 2003, WORM_JER.A is a noticeable threat that should be quickly deleted to restore full system functionality. WORM_JER.A can disable important programs like Task Manager, copy itself to removable drives to propagate, produce outbound traffic and may also have spyware capabilities. Worms like WORM_JER.A can easily infect computers that come in contact with already infected systems even indirectly, and keeping active security software is necessary to insure a defense against this malware.
A Worm by Any Other Name
WORM_JER.A is also known by the aliases of W32/VB-EMD, Worm/VB.SB, Worm:Win32/VB.HG, W32.SillyDC and Worm.Win32.VB.awg.Regardless of the exact name the infection is seen by, WORM_JER.A will make copies of itself on all physical drives, using Autorun exploits to transfer itself to new systems if any of the drives are removable. WORM_JER.A can also spread through networks and is difficult to eradicate in large network scenarios.
Since WORM_JER.A is been a confirmed threat with protection against WORM_JER.A available from early 2010 onwards, WORM_JER.A isn't likely to require the most up to date security software to fight WORM_JER.A. Despite this, the worm produces enough problems to remain quite threatening to anyone not prepared to catch and delete WORM_JER.A.
Any machine running Windows 98, NT, ME, 2K, XP or Server 2003 will be vulnerable to infection by WORM_JER.A, and you should protect your computer accordingly.
Risks Associated with This Little Worm
Any system compromised by WORM_JER.A will suffer some obvious problems and a few other dangers that aren't so easy to see. As is the case with most kinds of malware, WORM_JER.A will remain a high security threat until removed, so don't delay and take appropriate action.
- WORM_JER.A has been reported to have some spyware functionality. This allows WORM_JER.A to steal sensitive information such as passwords or even directly record keyboard or microphone input. Avoiding saving the information to a file isn't necessarily a way to bypass WORM_JER.A's spying, and such information will usually be transferred to anonymous criminals.
- WORM_JER.A will change the registry for several reasons. WORM_JER.A has the ability to run in the background without needing to interact with the user significantly, but this is the lesser of WORM_JER.A's threats. More alarmingly WORM_JER.A may also use this to disable important Windows programs. Variants of WORM_JER.A have been confirmed to target Task Manager and registry-related applications. Without access to these programs, any computer will be extremely vulnerable to other serious malware attacks.
- As a final insult, WORM_JER.A may also create outbound traffic. This is usually related to sending private information to hackers, as noted above, but it may also be for other malicious purposes. This act inevitably uses up system resources that would be better spent on user-authorized activities.
File System Modifications
- The following files were created in the system:
# File Name 1 %CommonPrograms%\Startup\SYSTEMIL2.EXE 2 %FontsDir%\services.exe, %Windir%\svc2.exe 3 %System%\nwcwks.dll, %Windir%\Tasks\fbagent.job 4 %Temp%\34byl.exe, %Windir%\Temp\34byl.exe 5 %Temp%\4wa3x6e21.bat, %FontsDir%\mlog 6 %Windir%\SYSTEMIL.EXE, %AppData%\hil.exe 7 %Windir%\Temp\ fb_spam_ab4.exe, %AppData%\yaor.exe 8 %Windir%\Temp\ main.exe, %Temp%\2rogvoir.exe 9 %Windir%\Temp\ res_ab4.exe, %AppData%\stwwx.exe 10 %Windir%\Temp\1.jpg, %Windir%\Temp\12.tmp 11 %Windir%\Temp\13.tmp, %Windir%\Temp\14.tmp 12 %Windir%\Temp\2.jpg, %Windir%\Temp\7pp8em6k5.exe 13 %Windir%\Temp\9cho4.log, %Windir%\Temp\file.exe 14 %Windir%\Temp\index.html, %Windir%\Temp\ins3mlxqr.exe 15 %Windir%\Temp\o6jv.exe 16 c:\2.txt, %Windir%\Temp\111.tmp 17 c:\Documents.exe
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\Alexa InternetHKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\New Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TbsoluteHKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\New Windows HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\ToolbarHKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\ToolbarHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRUHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ExtHKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\StatsHKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NWCWORKSTATION\0000\ControlHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstationHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Enum HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATIONHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\SecurityHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000\ControlHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\EnumHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ExplorerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.