Home / malware Worm:VBS/Jenxcus
First posted on 06 November 2013.
Source: MicrosoftAliases :
There are no other names known for Worm:VBS/Jenxcus.
Explanation :
Threat behavior
Installation
Worm:VBS/Jenxcus can be installed in any of the following directories:
- %APPDATA%
- %ProgramData%
- <startup folder>
- %TEMP%
- %USERPROFILE%
- %windir%
We have seen this threat installed with the following file names:
- crypted.vbs
- do.vbs
- file.vbs
- nj-worm.vbs
- servieca.vbs
- system32.vbs
- Taakj2005.vbs
- temp.vbs
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>", for example, "Serviecs.vbs"
With data: "<malware folder and file name>", for example, "%TEMP%\Serviecs.vbs"
Spreads via...
Removable drives
If this worm detects a removable drive connected to your PC, it copies itself into every folder in that drive. We have seen the file dropped as Serviecs.vbs, Servieca.vbs, njq8.vbs or help.vbs.
It also creates a shortcut link pointing to its copy in the removable drive.
The worm can also arrive on your PC within a file downloaded online or in a torrent.
Payload
Backdoor access and control
Worm:VBS/Jenxcus can give a hacker backdoor access and control of your PC to:
- Run files
- Steal your online user names and passwords and the URL you entered them on
- Update files
- Uninstall itself
It send information about your system to the hacker, including information about your PCs:
- IP address
- USB drives
- Active windows
- Users
- Name
- Operating system
We have seen this worm connect to the following domains using a random port:
- 178.61.186.27:288
- 999mostafa999.no-ip.biz
- 9d1.no-ip.org
- a.servecounterstrike.com
- abanas19.no-ip.biz
- abdo1abdo.no-ip.biz
- adolf2013.sytes.net
- ahmad909.no-ip.biz:1061
- ajeeb.zapto.org:1777
- ali2010.no-ip.biz
- aljabiry1.no-ip.biz
- alnazee.no-ip.org:1993
- alnazee.no-ip.org:3339
- alsha2e.zapto.org
- amere-ali.no-ip.biz
- aore.no-ip.org
- asmarany.no-ip.biz
- asmarany.np-ip.biz:3133
- aymen112233.no-ip.org
- bifrost-jordan.zapto.org
- big-hack.no-ip.com
- blackhawk.myftp.biz
- cggfhddsscds.no-ip.biz:288
- cxxz.no-ip.biz
- damla.no-ip.org:100
- dhuaa.no-ip.org:4444
- dnsip.servehttp.com:1604
- doopy99.zapto.org
- fadliking.sytes.net
- fons.no-ip.info
- frostate.no-ip.biz
- ghoster13.no-ip.biz
- gmail2013.no-ip.info
- hackeralbasrah.no-ip.biz
- haedar.no-ip.biz
- hanan96.no-ip.bizport=3360
- iraqi2013.servemp3.com:3010
- jn.redirectme.net
- klagord.no-ip.org
- kurd2013.no-ip.biz:1177
- localh0st.servehttp.com:300
- loll1.no-ip.biz
- m4b.no-ip.org
- mda.no-ip.org
- microsoftsystem.sytes.net
- milito.no-ip.org
- mohez.no-ip.org
- msy.myvnc.com
- naza.no-ip.biz
- new-hacker.no-ip.org
- oscar-bif.zapto.org:82
- portipv6.redirectme.net:82
- pthacker.no-ip.org
- ramadan.zapto.org
- sdgsg.no-ip.biz:89789
- shawaf.sytes.net
- shee5iq.no-ip.biz:8888
- shee5iq.no-p.biz:8888
- sro7.no-ip.info:1663
- systemsxp.sytes.net
- theghostholako.no-ip.org
- thescorpionking.no-ip.org
- utilesat.zapto.org:88
- uty.myq-see.com:5510
- wahidhackerdz.no-ip.biz
- xkiller.no-ip.info
- xmx.no-ip.info:81
- xxsc.no-ip.org
- xxxxxx.no-ip.biz
- yahoomail.3utilities.com
- zilol.no-ip.org
Analysis by Francis Allan Tan Seng
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
- crypted.vbs
- do.vbs
- file.vbs
- nj-worm.vbs
- servieca.vbs
- system32.vbs
- Taakj2005.vbs
- temp.vbs
- You see these entries or keys in your registry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>", for example, "Serviecs.vbs"
With data: "<malware folder and file name>", for example, "%TEMP%\Serviecs.vbs"Last update 06 November 2013
