Home / malware

PDF

Worm:VBS/Jenxcus.K

First posted on 15 February 2019.
Source: Microsoft

Aliases :

Worm:VBS/Jenxcus.K is also known as W32/Script.SUSPIC!tr, Trojan.Script.VBS.Runner.a.

Explanation :

Installation

When run, this VBScript worm creates a copy of itself in either %TEMP%, %APPDATA% or %USERPROFILE% with a random file name, for example:

%TEMP%habnxsgne.vbs %APPDATA%zxtpfcazlb.vbs

The worm changes the following registry entry so the malware runs each time you start your PC.

In subkey: HKLMsoftwaremicrosoftwindowscurrentversion
un
Sets value: "", for example, "bhabnxsgne"
With data: "wscript.exe //B ".vbs"", for example, "wscript.exe //B "%TEMP%habnxsgne.vbs""

The worm also copies itself in the .

It creates the registry key HKLMsoftware as an infection marker.

Spreads via...

Removable devices

This worm spreads via removable storage devices, like floppy disk drives or a USB flash drives.

It checks your PC for removable drives. If a removable drive is found the worm copies itself into that drive. It creates several link (.lnk) files that run the VBScript worm.

The .lnk file names are created using the file names already on the removable drive.

For example: If there is a file called sample.doc on the removable device, the worm creates a file called sample.lnk. This .lnk file redirects to a VBScript file that installs another copy of itself on the removable drive. The worm then changes the attributes of the sample.doc file to "hidden" and "system" to hide the legitimate file. It does this to encourage you to click on the .lnk file and run the worm.

In this example the removable drive would look like this before infection:

And this after infection:

Payload

Lets a hacker access and control your PC

This worm contacts a remote server using a HTTP POST command.

It sends the following information about your PC to the server:

Disk volume serial number PC name User name Operating system information, for example, the name and version Antimalware software details

Once it receives information about your PC, the remote server replies to the worm with instructions on what to do next. The commands may be any of the following:

Run a command in the PC Download and run a file, including other malware Update the worm Remove the worm after an update or after other malware is run

We have seen the worm contact the following remote servers:

abdnjworm.no-ip.biz abocasse.zapto.org ahmedghost.no-ip.info b-trese.no-ip.biz boucraa.no-ip.org dd.no-ip.bz debili1.no-ip.biz fuck-all.no-ip.info hackers1990.no-ip.org heartbraker.no-ip.biz jnyn-99.no-ip.org mda.no-ip.org mmrick.zapto.org mntm.no-ip.biz mootje01.no-ip.org mozaya46415.zapto.org rouge166821.no-ip.biz vanonymous.no-ip.org vichtorio-israeli.zapto.org zkzak.np-ip.biz

Analysis by Ric Robielos

Last update 15 February 2019

 

TOP