Home / malware Worm:VBS/Jenxcus.A
First posted on 24 May 2013.
Source: MicrosoftAliases :
Worm:VBS/Jenxcus.A is also known as VBS/AutoRun.DZ (Avira), Type_VBS_Autorun (BitDefender), Type_VBS_Autorun (Ikarus), VBS/Autorun.worm.aafi (McAfee), VBS/Autorun-CAI (Sophos), VBS.Runauto (Symantec), VBS_OTORUN.IY (Trend Micro).
Explanation :
Installation
Worm:VBS/Jenxcus.A copies itself as either "Serviecs.vbs", "Servieca.vbs", or "njq8.vbs". It copies itself in both the %TEMP% and <startup folder>.
To ensure that it runs every time Windows starts, it creates the following registry entries:
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "<malware folder and file name>"
For example:
In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Serviecs.vbs"
With data: "%Temp%\Serviecs.vbs"
Spreads via...
Removable drives
If this worm detects a removable drive in your computer, it copies itself into every folder in that drive. It also creates a shortcut link file pointing to its copy in the removable drive.
It s copy in the removable drive might also be named "Serviecs.vbs", "Servieca.vbs", or "njq8.vbs".
Payload
Steals computer information
This worm collects the following information about your computer:
- Your computer name
- User name of the person currently logged on
- Operating system version
- Serial numbers for software
- Hardware identification numbers
Allows backdoor access and control
This worm connects to certain servers, for example:
- Jn.redirect.net via port 7777
- njq8.redirectme.net via port 1001
- cupidon.zapto.org via port 999
It does this to receive commands from a remote attacker and to allow that attacker to run commands on your computer.
It can run the following commands from the attacker:
- exec - download and run additional code
- uns - uninstall itself
Analysis by Karthik Selvaraj
Last update 24 May 2013
