W32.Jaydotto Uses Old School Virus Tricks

The W32.Jaydotto infection uses old virus tactics to hide itself while infecting your system

The W32.Jaydotto infection was recently discovered to be using old virus infection methods in order to hide itself on an infected machine. W32.Jaydotto appeared to be a regular worm when first examined by researchers but it is much more complicated. W32.Jaydotto seemed to be another worm infection that spreads itself by copying itself and the autorun.inf file to any removable device on your system. This tactic is identified as a way older viruses spread themselves to hide its identity. Performing this old method insures that the W32.Jaydotto infection will last a long time running loose on the infected machine.

Detailed (old school) functions of the W32.Jaydotto worm infection

W32.Jaydotto searches for all removal devices (disk drives) that have a FAT partition. W32.Jaydotto will then find a totally random location on a drive with enough free space to store itself. After finding a resting location W32.Jaydotto will encrypt itself using about three randomly generated keys before it writes the encrypted data to it's location so no file name is created. After the encrypted data is written W32.Jaydotto will mark any clusters it used as being corrupted or reserved. W32.Jaydotto will create a small loader file stored as a regular file on it's selected disk as (drive letter):\Recycled\L.exe. Finally W32.Jaydotto will create an autorun.inf file in the root of the disk that will later run the loader file.

The whole infection process enables the W32.Jaydotto worm to stay hidden while it executes its malicious tasks. A user's operating system on the infected computer will not even recognize the worms location as it does not use an actual file name recognized by the OS. W32.Jaydotto uses a partially redundant system of infecting removable drives though the autorun.inf file. If a user detects an infection through the infected autorun.inf file and then deletes the file, W32.Jaydotto will then attempt to re-infect the given drive that autorun.inf was deleted off of. This is a sneaky process and creates a very discouraging situation when you cannot remove the W32.Jaydotto infection manually.

Removal process for W32.Jaydotto

One method of removing the W32.Jaydotto infection and making sure it does not re-populate itself though the autorun.inf file is by disabling the auto-run function in your systems registry. This process should be completed in order to begin the removal process for W32.Jaydotto. It is a good suggestion to use a reputable spyware and/or virus removal program to complete remove the W32.Jaydotto infection from your system.

If you wish to contribute to this article, post your comment below.

Tags: .