[INFO]
AnalystName=Ionut Pipirig
AnalystEMailID=ipipirig@comodo.com
Team=Romania
Date=22-NOV-2010
Type=EmailWorm
Platform=Win32
SubType=
Family=Joleee
Variant=

[OVERVIEW]
EmailWorm.Win32.Joleee is a malicous adware also known as advertising software.It has the capability to send malicious email messages via a built-in SMTP client engine.

[TECHNICAL_DESCRIPTION]
In most of the cases, Email-worm.Win32.Joleee has the following behavior:
	- When launched, the worm copies its executable file to the Windows root directory: [%WinDir%\services.exe
	- In order to ensure that the worm is launched automatically each time the system is booted, it adds a link to its executable file in the system registry:
		[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Services" = "%WinDir%\services.exe"
	- disables the system firewall by modifying the following registry keys:
		[HKLM\SOFTWARE\Microsoft\Security Center]
		"FirewallDisableNotify" = 1
		"FirewallOverride" = 1
		[HKLM\System\CurrentControlSet\Services\SharedAccess]
		"Start" = 4
		[HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
		"EnableFirewall" = 0
		[HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
		"EnableFirewall" = 0
	- adds its executable file to the Windows firewall list of trusted applications

[SYMPTOMS]
Email-worm.Win32.Joleee sends spam from the victim machine. 
The data is downloaded in XML formata and saved to the Windows temporary directory.
The downloaded data is then used to create and send spam. The spam mailings target Gmail users

[DISINFECTION]
Install and scan your computer with Comodo Internet Security to remove these threats.