Threat description




This worm uses the fact of a known hoax about the jdbgmgr.exe file to spread. This file is normally a windows component, this worm overwrites that file, so all the warnings telling the file is harmless become not true. The icon of Recory worm looks like that:

The information about the hoax can be found:

The worm is programmed in Visual Basic, spreads through IRC modifying the Mirc scripts, and tries to copy itself to the shared folder of several P2P and messaging programs.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm is UPX packed.

Names of the files copied to shared folders of P2P programs are:

  • -The Lord of the Rings - The Two Towers (Fast-Downloader).pif
  • -007 - Die Another Day (Rocket Downloader).pif
  • -Harry Potter and the Chamber of Secrets (Fast-Downloader).pif
  • -Britney Spears Wallpaper.pif
  • -Harry Potter and the Philosophers Stone (Movie-Downloader).pif

Among the affected programs are:

  • -Kazaa
  • -Kazaa Lite
  • -ICQ
  • -Bearshare
  • -Edonkey2000
  • -Morpheus
  • -Grokster

The worm send e-mails with the following text.

Message's text follows:

------------------------------------------------------------------ Hello readers,  I have just cleaned my computer from a highly damaging computer virus  Which is spreading rapidly through computer networks worldwide.  There is one way to check to see if your computer is infected with this virus.  Click the "Start" menu at the bottom left of your screen.  Click the "Find" or "Search" button.  Click the "Files or folders..." option.  Then once the search application starts, type "Jdbgmgr.exe"  If you have found this file, right-click on it and click the "Properties" tab.  If the Properties menu has a picture of a bear on it,  your computer is infected with this virus. (Note that the non-infected file  picture has a hammer and a screwdriver shown in it)  You may delete this file, but this is not the only file that the virus infects,  To remove this virus, I have included a virus removal tool in the attachments  that will scan all system files and remove any infectious code from them.  This virus removal tool is very easy to use. If you have any trouble with this  tool, read the help menu that the removal tool supplies.  If your computer is infected with this virus, It is strongly recommended that you  send this removal tool to as many people as you can to help remove the traces of  this virus worldwide.  


Of course, opposite as said in the message the bear icon corresponds to the normal version of the jdbgmgr.exe file, the one with the screwdriver is the worm.

It copies itself to the following files:

In the Windows Startup folder:

  • -"LoadWin.pif"

In the "Windows\System32" folder:

-""  -"CheckThis.pif"  -"Jdbgmgr.exe"  -"Msjpeg32.pif"  -"Runsys32.bat"  -"Regfiles.bat"  -"Winbatch.bat"  -"Msjava.pif"  -""  -"Mswin32.pif"  -"Winocx32.pif"  

In the "Windows\Java" folder:

-"WinJava32.pif"  -"Javatemp.bat"  -""  

In the Windows folder:

-"Jdbgmgr.exe"  -"TempFiles.pif"  -"WinStartup.pif"  -"Msupdater32.pif"  -"WinStart32.pif"  -""  -""  -""  -"Charmap.pif"  

In "Documents And Settings/[User]/Local Configuration/Temp":


In shared drives as:


It also saves itself with names as of the ones generated for the attachments.

Posible subjects for the message are, it can be preceeded by "Fw:" or "Fwd:"

Computer virus outbreak  Computer virus removal  About a severe computer virus  Severe computer virus alert  Virus removal tool  Severe alert  Attention employees  Alert  Readme  Important  Important Information  Update your virus scanners  Warning  Microsoft support  Knowledge Database alert  Virus warning  Virus alert  Help with removal  Removal tool  Urgent news  

Possible names for the attachment can be:

RemovalTool  FixTool  KillVir  KillVirus  RepairVirus  RepairVir  Cleaner  VirusFix  CleanVirus  CleanVir  VirFix  FixVir  FixVirus  VirusRemoval  RemoveVirus  WinProtect  VirusClean  VirusCleaner  ScanVir  ScanVirus  Repair  RepairWizard  RepairScan  Scanner  FileScanner  ScanFiles  FixFiles  FileFix  RepairTool  VirusRepair  VirRepair  RepairFiles  FileRepair  AntiVirus  AntiVir  RemoveVir  CleanFiles  FileClean  FileCleaner  FileRepairer  CleanTool  CleanerTool  FixComputer  RepairComputer  CleanComputer  FixComp  RepairComp  CleanComp  FixPC  RepairPC  CleanPC  FixSystem  RepairSystem  CleanSystem  FixSys  RepairSys  CleanSys  SystemFix  SystemClean  SystemRepair  SysFix  SysClean  SysRepair  Recovery  

With any extension from the following list (.exe, .pif, .com, ).

The following key is created in the Windows' registry:


Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info