USB Worm (Jamesgo.dll)

The other day my computer was infected by a USB Worm known as Jamesgo.dll. I received the virus when I inserted my girlfriend’s USB thumb drive. The worm modified the autorun.inf file on the thumb drive, so it was able to automatically transfer itself to all my hard disk drives (Click Here to view autorun.inf). There is little information on the internet about this virus, so I had to figure out my own way to remove it. By analyzing the autorun.inf (which the virus cleverly changed to a system hidden file, and later I found out that it modified the registry so system hidden files are never displayed) I disclovered that each drive contains the Visual Basic Script, test.vbs (Click Here to view Test.vbs). Basically what the file does is copies test.bat, test.reg, autorun.inf, autorun.ico, and itself to every hard disk in the system. Also, it runs every 60 seconds, so if you delete it from one drive in 60 seconds it will recopy itself from a different drive. Futhermore, the test.reg simply edits the registry so test.bat runs on start up and prevents system hidden files from being displayed. Test.bat runs the VB script and changes the files to system,hidden,achieved, and read-only (Click Here to view Test.reg and Click Here to view Test.bat). To remove the virus I crafted a batch file changes all the test files and autorun to normal files (attrib -s -h -r test.*, attrib -s -h -r autorun.*), and then deleted them. Since the batch file can delete all the files quickly it does not have a chance to recopy itself to all the disk drives. Also, I manually removed all entires of test.bat from the registry (Click Here to view Fix)

To prevent a USB Worm from infecting your computer:
1) Goto Start -> Run
2) Type “gpedit.msc” (This is the group policies editor)
3) Click “Administrative Templates” under Computer Configuration
4) Then click “System”
5) Select “Turn off Autoplay”
6) Set it to “Enable” and choose to “Turn off Autoplay on All Drives”


In conclusion, the Jamesgo.dll USB Worm is not a risk for your computer, but it is really annoying! Also, it is a perfect example on how easy it is to create a Worm for travels though removal media. If you want to mess around and modify the Jamesgo.dll script you can download it here. If you want to learn more on how to use Autorun and Batch files to create a “Auto Hacking USB Thumb Drive” go here.

Interesting Note: The Jamesgo.dll USB Worm was created in the Philippines which is stated in test.vbs, and the Thumb Drive that infected my computer was purchased in the Philippines and brought back to the US by my girlfriend’s mother.