Home / malwarePDF  

Worm:VBS/Jenxcus.DN


First posted on 25 May 2019.
Source: Microsoft

Aliases :

Worm:VBS/Jenxcus.DN is also known as W32/Script.SUSPIC!tr, Trojan.Script.VBS.Runner.a.

Explanation :

Installation

Typically, this threat gets onto your PC from a drive-by download attack. It might also have installed itself onto your PC if you visit a compromised webpage or if you use an infected removable drive.

When run, this VBScript creates a copy of itself in the %APPDATA% folder with a random file name, for example:

%APPDATA% Microsoft OfficeMicrosoft Excel.WsF %APPDATA%Internet Exploreriexplore.vbs

The worm changes the following registry entries so the malware runs each time you start your PC.

In subkey: HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversion
un or HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversion
un
Sets value: ""
With data: "wscript.exe //B ".WsF""

For example:
In subkey: HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversion
un
Sets value: "Microsoft Excel"
With data: "wscript.exe //B "%APPDATA%Microsoft Office\Microsoft Excel.WsF""

In subkey: HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversion
un or HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversion
un
Sets value: ""
With data: "wscript.exe //B ".vbs""

For example:
In subkey: HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversion
un
Sets value: "iexplore"
With data: "wscript.exe //B "%APPDATA%Internet Exploreriexplore.vbs""

Spreads through...

Removable devices

This threat copies itself into every folder with HIDDEN+SYSTEM file attributes. It also creates a shortcut link (.lnk) pointing to its copy in the removable drive.

Payload

Gives a malicious hacker access and control of your PC.

This malware can connect to a remote server and awaits for a command from the C&C servers.

We have seen the worm contact the following remote servers:

Dz47.myq-see.com:225 maroco.linkpc.net:855 maroco.myq-see.com:855 maroco.redirectme.net:855 sexcam.3utilities.com:225

Once a connection has been established, this worm may do any of the following commands:

Execute files or programs Send files Terminate process Uninstall programs Update its copy

Steals computer information

This worm collects:

Antivirus product installed Disk volume serial number Folders and subfolders information OS Version Username Computer name

It sends this information to command and control servers.

Analysis by Ric Robielos

Last update 25 May 2019

 

TOP

Malware :

Family: