How to Prevent and Remove the Email-Worm.Win32.Joleee.foa

Bookmark and Share

 

1. What is the Email-Worm.Win32.Joleee.foa

Email-Worm.Win32.Joleee.foa (or Troj/Harnig-CD) is a dangerous computer Worm that attempts to replicate across an existing network once it gains entry. Email-Worm.Win32.Joleee.foa has the capability to send malicious email messages via a built-in SMTP client engine. Email-Worm.Win32.Joleee.foa uses the malicious emails to spread by linking copies of itself to the messages. Email-Worm.Win32.Joleee.foa may also create a startup registry entry to produce outbound traffic. Email-Worm.Win32.Joleee.foa contains all the characteristics of an identified security risk and should be removed from the infected system immediately.

Alias: Generic Obfuscated.g [McAfee], Email-Worm.Win32.Joleee [Ikarus] 

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 %System%\msvmiode.exe
[file and pathname of the sample #1] 		104,424 bytes
  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
msvmiode.exe %System%\msvmiode.exe 159,744 bytes

c.  Registry Modifications

  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • MSODESNV7 = "%System%\msvmiode.exe"

      so that msvmiode.exe runs every time Windows starts
       
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
      • ridt100413 = "1"
      • id = "52254485615773632619772551630004"
      • host = "91.200.242.230"

    d. Other details

    • The following ports were open in the system:

    Port Protocol Process
    1056 TCP msvmiode.exe (%System%\msvmiode.exe)
    1531 TCP msvmiode.exe (%System%\msvmiode.exe)

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    50.59.85ae.static.theplanet.com 25
    129.22.105.31 25
    207.217.125.16 25
    24.171.168.114 25
    65.55.37.104 25
    65.55.37.88 25
    65.55.92.136 25
    65.55.92.168 25
    65.55.92.184 25
    66.228.118.25 25
    50.59.85ae.static.theplanet.com 587
    66.228.118.25 587
    91.200.242.230 80
    • Email Senders:
      • Loves.ViagraCialis16@yahoo.com
      • <Loves.ViagraCialis16@yahoo.com>
      • <ann_hvoz@msn.com>
    • Email Recipients:
      • potato9n@partenaire-entreprise.fr
      • <jfw9@po.cwru.edu>
      • <loisgeller@loisgellermarketinggroup.com>
      • <jblaine@wcpss.net>
      • <nickowei@hotmail.com>
      • <kel-webstev@metsacramento.org>
      • <info@bestwedding-cake.com>
      • <shana1996@gmail.com>
      • <guru2101@gmail.com>
      • <budiprasetyo@gmail.com>
      • <loungelizards4lisa@gmail.com>
      • <kbierer@blueyonder.co.uk>
      • <iikko2002@pitpassradio.com>
      • <kevin@internetmarketer-tools.com>
      • <daga_2004@post.cz>
      • <bmogotsi@ovi.com>
      • <lilsweet78@yahoo.com>
      • <minhng74@yahoo.com>
    • Email Subject:
      • for the holidays you need it!
    • Email Body:

     

    3. How-to's

    a. How to prevent the  Email-Worm.Win32.Joleee.foa ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Email-Worm.Win32.Joleee.foa Manually?

    Step 1 : Use Windows Task Manager to Remove Email-Worm.Win32.Joleee.foa Processes

    msvmiode.exe

    Step 2 : Use Registry Editor to Remove Email-Worm.Win32.Joleee.foa Registry Values

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    MSODESNV7 = "%System%\msvmiode.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
    ridt100413 = "1"
    id = "52254485615773632619772551630004"
    host = "91.200.242.230"

    Step3: Detect and Delete Other Email-Worm.Win32.Joleee.foa Files

    %System%\msvmiode.exe
    [file and pathname of the sample #1]

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•