Home / malware Worm:VBS/Jenxcus.CB
First posted on 20 February 2014.
Source: MicrosoftAliases :
There are no other names known for Worm:VBS/Jenxcus.CB.
Explanation :
Threat behavior
Installation
When run, this VBScript worm creates a copy of itself in %TEMP%. The file name can vary; some of the file names we have seen include:
- 5588.vbs
- google.vbs
- mzab.vbs
- xxxxxxxx.vbs
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: ""
With data: "wscript.exe //B "\ .vbs""
The worm also copies itself to.
It creates the registry key HKLM\software\as an infection marker.
Spreads via...
Removable drives
This worm spreads via removable storage drives, such as USB flash drives.
It checks your PC for removable drives. If a removable drive is found the worm copies itself into that drive. It creates several link (.lnk) files that run the VBScript worm. The .lnk file names are created using file names already on the removable drive.
Payload
Worm:VBS/Jenxcus.CB can give a hacker access and control of your PC.
This worm contacts a remote server using a HTTP POST command. We have seen it connect to lemsi.dvr-.com.
It sends the following information about your PC to the server:
- Disk volume serial number
- PC name
- User name
- Operating system information, for example, the name and version
- Antimalware software details
Once the server receives information about your PC, it replies to the worm with instructions on what to do next. The commands can be any of the following:
- Run a command in the PC
- Download and run a file, including other malware
- Update the worm
- Remove the worm after an update or after other malware is run
Analysis by Patrick Estavillo
Symptoms
The following could indicate that you have this threat on your PC:
- You see these entries or keys in your registry:
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: ""
With data: "wscript.exe //B "\ .vbs"" Last update 20 February 2014
