Aliases: W32/Jambu.worm
Variants: W32/Jambu-A, W32/Jambu-A Win32, W32/Jambu.worm

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: Asia, North America, Europe
Removal: Easy
Platform: W32
Discovered: 18 Apr 2007
Damage: Low

Characteristics: This malware is an autorun worm. It can spread via network shares and removable storage devices. This worm can likewise download malicious files to the compromised computer. The autorun function exploited by the W32.Jambu worm can permit EXE files on drives to be immediately run once the drive is accessed. The autorun function works by following the commands inside the file autorun.inf file.

More details about W32.Jambu

Upon being executed in the compromised computer system, the W32.Jambu worm will display an official looking message that is actually a fake. This message will state something along the lines of a movie not being able to load because there’s no Flash Player 8 in installed in the system and that users have to install the application first or go to Macromedia’s site to download it. However, the link to the so-called Macromedia site provided by the message is not the real site but a site that can possibly do more damage to the infected system. By clicking on links to the said site, the user may inadvertently download more malicious files onto the computer. The worm will also create several files on every drive which includes removable and mapped drives. It will then create an autorun.inf file and some files in the html and exe file extension.

The W32.Jambu worm is also capable of modifying the Windows Registry. It will create 3 registry entries so that its execution is ensured once Windows starts as well. It will then go on to create more registry subkeys to carry out its other malicious tasks. Lastly, it will modify (not create) plenty of other registry entries. The W32.Jambu application is worm software. It enters the system using folders and resources shared with networks. This can include Local Access Networks (LANs) and peer-to-peer (P2P) networks. Operating system vulnerabilities may be used to enter the system. Most worm programs also have lists of common user names and passwords. These can be used to launch a brute-force attack on protected network shares. The software will try all the entries in its list to access the resource.