Home / malware Worm:VBS/Jenxcus.BC
First posted on 27 February 2014.
Source: MicrosoftAliases :
There are no other names known for Worm:VBS/Jenxcus.BC.
Explanation :
Threat behavior
Installation
When run, this VBScript worm creates a copy of itself in %TEMP%. The file name can vary; some of the file names we have seen include:
- 5588.vbs
- google.vbs
- mzab.vbs
- xxxxxxxx.vbs
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: ""
With data: "wscript.exe //B "\ .vbs""
The worm also copies itself to the.
It creates the registry key HKLM\software\as an infection marker.
Spreads via...
Removable drives
This worm spreads via removable storage drives, such as USB flash drives.
It checks your PC for removable drives. If a removable drive is found the worm copies itself into that drive. It creates several link (.lnk) files that run the VBScript worm. The .lnk file names are created using file names already on the removable drive.
Payload
Give hacker access to your PC
This worm can give a hacker access and control of your PC.
This worm contacts a remote server using a HTTP POST command. We have seen it connect to http://servecounterstrike.servecounterstrike.com on port 99.
The remote server sends instructions to the worm, and can tell it to do the following:
- Run a command on the PC
- Download and run a file, including other malware
- Update the worm
- Remove the worm after an update or after other malware is run
- Send a local file for upload
- Get a list of installed drivers, folders, sub-folders, and running processes
- End certain processes
Analysis by Vincent Tiu
Symptoms
The following could indicate that you have this threat on your PC:
- You see these entries or keys in your registry:
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: ""
With data: "wscript.exe //B "\ .vbs"" Last update 27 February 2014
