W32.Jermy.A


Aliases: Email-Worm.Win32.Kazus.d, I-Worm.Kazus.d, W32/Generic.a@MM, HLLM.Generic.259, Win32/VBMassMail.gen+
Variants: WORM_JERMY.C, W32/Jermy, Win32:Jeremy-C, I-Worm/Kazus.B, Worm Generic.LC

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Europe, America
Removal: Hard
Platform: W32
Discovered: 24 Oct 2003
Damage: Low

Characteristics: The W32.Jermy.A worm is an email worm written in Visual Basic. This worm will attempt to send itself to the addresses it will harvest from the address book of Microsoft Outlook. The email that that the worm will be sending will have an attachment that is infected with its code and can either be in the .exe or .scr format. The worm will likewise try to establish a connection to a predetermined IRC server to wait for commands that will be given by its remote master.

More details about W32.Jermy.A

Once run in the compromised computer, the W32.Jermy.A will create a text file and an .ini file which is actually a Trojan. It will then copy itself to the system as a .scr file. Next, the worm will create autostart entries in the Registry allowing it to run whenever Windows is started. This worm is capable of searching the address book of Outlook Express and sending itself as an attachment to addresses it has obtained. The body of the email is in the Slovakian language. The worm is also able to alter the Search and Start page settings of the Internet Explorer by changing its registry values. When altered, Internet Explorer will be redirected to sites predefined by the worm. It then tries to connect with its author via an IRC server for more instructions.

To remove the infection of the W32.Jermy.A worm, all dropped files related with it should be deleted upon detection. You can go to the Windows Task Manager and then look at the list of all active process. When all dropped files have been located, end them by clicking the ‘End Process’ option. You can also try to identify the security threat’s related files’ exact locations in the hard drive and then remove them. You can then turn on the Windows Task Manager again to make sure that the malware and all malicious files associated with it have been eliminated from the system.