Home / malwarePDF  

Worm:Win32/Jenxcus.D


First posted on 27 November 2014.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Jenxcus.D.

Explanation :

Threat behavior

Installation

This worm copies itself with the file name serveceis.exe into %APPDATA% and .

It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
In subkey:HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "serveceis.exe"
With data: "%APPDATA%\serveceis.exe"

Spreads via...

Removable drives

If this worm detects a removable drive in your PC, it copies itself into the root folder of that drive. It also creates a shortcut link file pointing to its copy in the removable drive.

Its copy in the removable drive might also be named Serviecs.vbs, Servieca.vbs, or njq8.vbs.

Payload

Steals computer information

This worm collects:

  • The user names and passwords saved in your web browser.
  • Your PC's operating system version, architecture (32-bit or 64-bit), and service pack.
  • Information about whether you are running in a virtual or physical environment.
  • The names or types of security software you have installed (such as your antivirus or firewall software).


It sends this information to a hardcoded command and control server.

Downloads files

The worm can upload and download files from the command and control server. It can run the files, which might be other malware, on your PC.

Changes firewall settings

The threat can remove and app apps that are allowed or blocked by the firewall. It's likely it does this to make it easier for it to communicate with command and control server.

Displays fake errors

The worm can display fake system errors, such as the following:

A problem has been detected and Windows has been shut down to prevent damage to your computer.

The problem seems to be caused by the following file: SPCMDCON.SYS

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x00000050 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000)

*** SPCMDCON.SYS - Address FBFE7617 base at FBFE5000, DateStamp 3d6dd67c



Analysis by Zarestel Ferrer

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:

    "%APPDATA%\serveceis.exe
  • You see these entries or keys in your registry:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    In subkey:HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "serveceis.exe"
    With data: "%APPDATA%\serveceis.exe"
  • You see an error that includes the following:

    The problem seems to be caused by the following file: SPCMDCON.SYS

    PAGE_FAULT_IN_NONPAGED_AREA

Last update 27 November 2014

 

TOP