Aliases: Trojan.Win32.Agent.giu, TR/Agent.GSM, Worm_Hidden.B
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 29 Jan 2008
Damage: Low

Characteristics: The autorun worm W32.Joydotto propagates by copying itself to every removable drive in the target system. It attempts to download potentially dangerous files to the system. This worm is located in a random space on the infected drive. The space is tagged as corrupted and will be considered unusable by the user so it will make the malware ‘invisible’ and not easily discovered. This malware is created without a filename and is run via the disk offset where it is located.

More details about W32.Joydotto

Once run the infected computer, the worm will start creating exe and dat files. It will create 2 registry entries to allow it to execute at startup. It will also alter some registry entries to hide file extensions and system files in Windows Explorer. The W32.Joydotto worm will copy an encrypted version of itself and a loader file to every removable drive that has a FAT partition. It will then create an autorun.inf file on all drives so that the worm will run when that drive is used. It will also configure the sector flag of the FAT partition to reserved or corrupted. Next, it will create a service with the name SmartTag Recognizer. This service supposedly aids the system in identifying smart tags.

The W32.Joydotto will likewise try to download malicious files from a predetermined website. This security threat also gathers important information from the system. This information includes the Current username, Computer name, UUID and SKUNumber. The stolen information will be uploaded by the worm to 4 websites that might be the worm’s creator server or personal website. To completely get rid of the malware’s infection, search the system for all the files added by the W32.Joydotto malware by utilizing Windows’ search function. Next, create a backup of the registry and then delete all the registry values that the security threat created.