Follow:

 

Win32/Jenxcus


Microsoft security software detects and removes this threat.

This threat can give a malicious hacker access and control of your PC. It can also collect your personal information and send it to a malicious hacker.

Typically, this threat gets onto your PC from a drive-by download attack. It can also be installed when you visit a compromised webpage or use an infected removable drive.

Find out ways that malware can get on your PC



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Protect your sensitive information

This threat tries to steal your sensitive and confidential information. If you think your information has been stolen, see:

You should change your passwords after you've removed this threat:

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Win32/Jenxcus installs itself in one of the following folders:

This threat can be installed with any of these file names: 

  • njw0rm.exe
  • WinAuto.exe
  • WinAutoi.exe

It copies itself to the following location to make sure it runs each time you start your PC:

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>", for example, "njw0rm.exe"
With data: "<malware folder and file name>", for example, "%TEMP%\njw0rm.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>", for example, "njw0rm.exe"
With data: "<malware folder and file name>", for example, "%TEMP%\njw0rm.exe"

Spreads via...

Removable drives

If this worm detects a removable drive connected to your PC, it copies itself into the root folder of that drive. It also creates a shortcut link pointing to its copy in the removable drive.

Typically, this threat gets onto your PC from a drive-by download attack. It might also have installed itself onto your PC if you visit a compromised webpage or if you use an infected removable drive.

Payload

Gives a hacker access and control of your PC

Win32/Jenxcus can give a malicious hacker access and control of your PC to:

  • Run files
  • Steal your online user names and passwords and the website where you entered them
  • Update files
  • Uninstall itself

It also sends information about your PC to a malicious hacker, such as the following:

  • IP addresses visited
  • Connected USB drives
  • Active windows
  • Users
  • Operating system

This worm can connect to the following domains using a random port (usually port 1888):

  • a.servecounterstrike.com
  • eqe.sytes.net
  • jnj.redirectme.net
  • winlogon.servecounterstrike.com
  • 3dmntk.no-ip.biz

Analysis by Zhitao Zhou


Symptoms

The following symptoms can indicate that you have this threat on your PC:

  • You have these files:
     
    njw0rm.exe
    WinAuto.exe
    WinAutoi.exe

  • You see these entries or keys in your registry:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<malware file name>", for example, "njw0rm.exe"
    With data: "<malware folder and file name>", for example, "%TEMP%\njw0rm.exe"

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<malware file name>", for example, "njw0rm.exe"
    With data: "<malware folder and file name>", for example, "%TEMP%\njw0rm.exe"


Prevention


Alert level: Severe
This entry was first published on: Jan 13, 2014
This entry was updated on: Oct 03, 2014

This threat is also detected as:
No known aliases