Home / malware Worm.Jampork.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Worm.Jampork.A is also known as Worm:Win32/Jampork.A;, Worm/VB.FEF;, Win32.VB.NHZ;, WORM_VB.DVP.
Explanation :
This is a worm written in Visual Basic that arrives on the computer under the name explorer.exe (via removable drives or it can be downloaded from the internet). If executed it will make a hidden copy of itself in %SYSTEM32% folder under explorer.exe then it will run the legitimate explorer.exe which will pop-up a Windows Explorer window as a trick to disguise itself.
Then it will search for a file named wsctf.exe in the same forder from wich it was run. If found, a hidden copy of this file will be made in %SYSTEM32% folder.
It will add/change the following registry keys in order to be loaded at every system startup:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Name = EXPLORER.EXE
Value = "EXPLORER.EXE"
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Name = wsctf.exe
Value = "wsctf.exe"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Name = Userinit
Value = "userinit.exe, EXPLORER.EXE"
This worm will periodically search for onlinegames related applications running on the cumputer and terminate them. The targeted games are: Warcraft III, Counter-Strike, NFS Underground 2, Crazy Arcade, O2-JAM, PopKart Client, YB_OnlineClient, legend of mir2, CTRacer Client, Audition, Fly for Fun, Online, QQGame
It spreads itself by dropping copies of itself on every removable drive under the name explorer.exe and creating the associated autorun.inf file that will be executed when the drive will be accessed.
This worm uses the version information of a legitimate explorer.exe as another attempt to disguise itself.Last update 21 November 2011
