WORM_JUBON.A

Discussion in 'malware problems & news' started by Randy_Bell, Dec 20, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_JUBON.A is a memory-resident worm that propagates via the Web. It downloads a malicious file from a specific URL, which enables a mass-mailing routine. It runs on Windows 95, 98, ME, NT, 2000, and XP, and is currently spreading in-the-wild.

    Upon execution, this worm runs one of its components, JAMES.EXE, in order to download another file, BOND.EXE, from one of two specific Web sites. It drops the downloaded file in the Windows system folder and sets its attributes to hidden. The component BOND.EXE is responsible for the mass-mailing routine.

    Once download is successful, the file JAMES.EXE terminates. The component BOND.EXE remains in memory, listens to port 80, and establishes connection with two IP addresses. This worm also drops a file, JAMES.INI, in the Windows folder which contains vital information on JAMES.EXE.

    The dropped BOND.EXE file sends an SMTP (Simple Mail Transfer Protocol) request to another set of IP addresses and attempts to send email messages to random users of the following domains:

    • hanmail.net
      daum.net
    From: Yaho <a9999999@yahoo.co.kr>
    To:

    <random user name>@hanmail.net
    <random user name>@daum.net

    Subject: <in Korean text>

    Message Body:
    an html that contains a link to a certain korean pornographic website:
    http://38.118.128.181/check/yahogirl.htm
    {Author Note: I tested this and the link is *dead*; Trend includes this info but recommend don't click on the link, to be safe}

    When the user clicks this link, this malware downloads the worm component, JAMES.EXE, to the Windows system folder. The attributes of this file are also set to hidden. This worm also creates a registry entry that allows it to automatically execute upon every Windows startup. {Detected and cleaned by Trend Micro pattern file #701 and above}.
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    :D :D :D Am I the only one who finds this Worm hilarious? Did no one else catch the humor? Hint: James.exe and Bond.exe are its two components? -- Happy Holidays! Ya gotta admit, the Author of this Worm really has a sense of humor!
     
Thread Status:
Not open for further replies.