Home / malware Worm:VBS/Jenxcus.DN
First posted on 25 May 2019.
Source: MicrosoftAliases :
Worm:VBS/Jenxcus.DN is also known as W32/Script.SUSPIC!tr, Trojan.Script.VBS.Runner.a.
Explanation :
Installation
Typically, this threat gets onto your PC from a drive-by download attack. It might also have installed itself onto your PC if you visit a compromised webpage or if you use an infected removable drive.
When run, this VBScript creates a copy of itself in the %APPDATA% folder with a random file name, for example:
%APPDATA% Microsoft OfficeMicrosoft Excel.WsF %APPDATA%Internet Exploreriexplore.vbs
The worm changes the following registry entries so the malware runs each time you start your PC.
In subkey: HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversion
un or HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversion
un
Sets value: ""
With data: "wscript.exe //B ".WsF""
For example:
In subkey: HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversion
un
Sets value: "Microsoft Excel"
With data: "wscript.exe //B "%APPDATA%Microsoft Office\Microsoft Excel.WsF""
In subkey: HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversion
un or HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversion
un
Sets value: ""
With data: "wscript.exe //B ".vbs""
For example:
In subkey: HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversion
un
Sets value: "iexplore"
With data: "wscript.exe //B "%APPDATA%Internet Exploreriexplore.vbs""
Spreads through...
Removable devices
This threat copies itself into every folder with HIDDEN+SYSTEM file attributes. It also creates a shortcut link (.lnk) pointing to its copy in the removable drive.
Payload
Gives a malicious hacker access and control of your PC.
This malware can connect to a remote server and awaits for a command from the C&C servers.
We have seen the worm contact the following remote servers:
Dz47.myq-see.com:225 maroco.linkpc.net:855 maroco.myq-see.com:855 maroco.redirectme.net:855 sexcam.3utilities.com:225
Once a connection has been established, this worm may do any of the following commands:
Execute files or programs Send files Terminate process Uninstall programs Update its copy
Steals computer information
This worm collects:
Antivirus product installed Disk volume serial number Folders and subfolders information OS Version Username Computer name
It sends this information to command and control servers.
Analysis by Ric RobielosLast update 25 May 2019