Home / malware Worm:VBS/Jenxcus.CB
First posted on 26 February 2019.
Source: MicrosoftAliases :
Worm:VBS/Jenxcus.CB is also known as Crypt_c.AEUB, Trojan.Script.Agent.ER, Trojan.Hworm.6, VBS/Autorun.worm.aagb, VBS/Dinihou-A, VBS_BACKSHELL.SM.
Explanation :
Installation
When run, this VBScript worm creates a copy of itself in %TEMP%. The file name can vary; some of the file names we have seen include:
5588.vbs google.vbs mzab.vbs xxxxxxxx.vbs
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKLMsoftwaremicrosoftwindowscurrentversion
un
Sets value: ""
With data: "wscript.exe //B ".vbs""
The worm also copies itself to.
It creates the registry key HKLMsoftwareas an infection marker.
Spreads via...
Removable drives
This worm spreads via removable storage drives, such as USB flash drives.
It checks your PC for removable drives. If a removable drive is found the worm copies itself into that drive. It creates several link (.lnk) files that run the VBScript worm. The .lnk file names are created using file names already on the removable drive.
Payload
Worm:VBS/Jenxcus.CB can give a hacker access and control of your PC.
This worm contacts a remote server using a HTTP POST command. We have seen it connect to lemsi.dvr-.com.
It sends the following information about your PC to the server:
Disk volume serial number PC name User name Operating system information, for example, the name and version Antimalware software details
Once the server receives information about your PC, it replies to the worm with instructions on what to do next. The commands can be any of the following:
Run a command in the PC Download and run a file, including other malware Update the worm Remove the worm after an update or after other malware is run
Analysis by Patrick EstavilloLast update 26 February 2019