W32.Josam.Worm


Aliases: Email-Worm.Win32.Josam.a, W32/Josam, NewHeur_PE 
Variants: WORM_JOSAM.A 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Asia, North America, Europe
Removal: Easy
Platform: W32
Discovered: 03 Nov 2004
Damage: Low

Characteristics: The malware W32.Josam.Worm is an email worm. It uses its very own SMTP (Simple Mail Transfer Protocol) engine to spread its code via emails. This worm needs the runtime files NMFast50.bpl and Vcl50.bpl to execute successfully in the target computer system.

More details about W32.Josam.Worm

Upon execution of the worm in the target machine, it will immediately copy itself as an EXE file. This worm is also capable of modifying the Windows registry. It adds a value to a particular registry key so that it can run along with the Windows operating system when its starts. Next, the worm will wait in the background for the machine to make a connection to the Internet. The W32.Josam.Worm malware will also try and locate email addresses stored in the victim machine. When it has successfully gathered email addresses, it will send email messages to the addresses with an attachment of its code as a .ZIP file. It will also use its own Simple Mail Transfer Protocol engine for sending. The infected email sent by the worm will be a fake Symantec message stating that the user did something wrong that might jeopardize the system’s security. To correct the user’s mistake, it is necessary to download the attached file. This attached file contains the worm’s copy.

The W32.Josam.Worm application can also act as an IRCbot. It can send messages to specific IRC channels and users. It may also start or close threads. It may be used to spread malware programs to other IRC channels. The software saves a copy of itself in the System32 folder of the Windows directory. Registry entries are modified so the process can run once Windows starts. The W32.Josam.Worm application often propagated through shared computer resources on the network. It utilizes exploits on the Windows operating system spread security threats on the computer without the user’s knowledge. Computers protected with weak passwords are prone to the infiltration of the application.