Home / malwarePDF  

Win32/Jenxcus


First posted on 14 January 2014.
Source: Microsoft

Aliases :

There are no other names known for Win32/Jenxcus.

Explanation :

Threat behavior

Installation

Win32/Jenxcus can be installed in one of the following folders:

  • %APPDATA%
  • %ProgramData%
  • %ProgramFiles%
  • %TEMP%
  • %USERPROFILE%
  • %windir%


We have seen this threat installed with any of these file names:

  • njw0rm.exe
  • WinAuto.exe
  • WinAutoi.exe


It will copies itself to the following location to make sure it runs each time you start your PC:

  • \"", for example \njw0rm.exe


It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "", for example, "njw0rm.exe"
With data: "", for example, "%TEMP%\njw0rm.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "", for example, "njw0rm.exe"
With data: "", for example, "%TEMP%\njw0rm.exe"

Spreads via...

Removable drives

If this worm detects a removable drive connected to your PC, it copies itself into root folder in that drive. It also creates a shortcut link pointing to its copy in the removable drive.

The worm can also arrive on your PC within a file downloaded online or in a torrent.

Payload

Gives a hacker access and control of your PC

Win32/Jenxcus can give a hacker access and control of your PC to:

  • Run files
  • Steal your online user names and passwords and the website where you entered them
  • Update files
  • Uninstall itself


It also send information about your PC to a hacker, such as the following:

  • IP addresses visited
  • Connected USB drives
  • Active windows
  • Users
  • Operating system


We have seen this worm connect to the following domains using a random port (usually port 1888):

  • a.servecounterstrike.com
  • eqe.sytes.net
  • jnj.redirectme.net
  • winlogon.servecounterstrike.com
  • 3dmntk.no-ip.biz




Analysis by Zhitao Zhou

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    njw0rm.exe
    WinAuto.exe
    WinAutoi.exe
  • You see these entries or keys in your registry:


    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "", for example, "njw0rm.exe"
    With data: "", for example, "%TEMP%\njw0rm.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "", for example, "njw0rm.exe"
    With data: "", for example, "%TEMP%\njw0rm.exe"

Last update 14 January 2014

 

TOP

Malware :