Follow:

 

Worm:VBS/Jenxcus


Microsoft security software detects and removes this threat.

This threat is a member of the Jenxcus family of worms that can give a malicious hacker access and control of your PC. It can also collect your personal information and send it to a malicious hacker.

Typically, this threat gets onto your PC from a drive-by download attack. It can also be installed when you visit a compromised webpage or use an infected removable drive.

See VBS/Jenxcus description for more information.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Change your passwords after you've removed this threat. See Create strong passwords for details.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading. See Disable Windows Autorun for details.

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page: How do I scan a removable drive, such as a USB flash drive?

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

This threat tries to steal your sensitive and confidential information. If you think your information was stolen, see What to do if you are a victim of fraud.

Threat behavior

Installation

Worm:VBS/Jenxcus installs itself in any of the following folders:

This threat can be installed with any of these file names:

  • crypted.vbs
  • do.vbs
  • file.vbs
  • nj-worm.vbs
  • servieca.vbs
  • system32.vbs
  • Taakj2005.vbs
  • temp.vbs

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>", for example, "Serviecs.vbs"
With data: "<malware folder and file name>", for example, "%TEMP%\Serviecs.vbs"

Spreads via...

If this worm detects a removable drive connected to your PC, it copies itself into every folder in that drive. It also creates a shortcut link pointing to its copy in the removable drive.

Typically, this threat gets onto your PC from a drive-by download attack. It might also have installed itself onto your PC if you visit a compromised webpage or if you use an infected removable drive.

The threat drops the malicious file in the removable drive with any of these names:

  • help.vbs
  • njq8.vbs
  • Servieca.vbs
  • Serviecs.vbs
Payload

Gives a malicious hacker access and control of your PC

Worm:VBS/Jenxcus can give a malicious hacker access and control of your PC to:

  • Create a backdoor command shell
  • Delete files and folders
  • Download files
  • Open a website
  • Run files
  • Sleep for a given period of time
  • Steal your online user names and passwords and the URL you entered them on
  • Update files
  • Upload files
  • Uninstall itself

It also sends information about your PC to a malicious hacker, such as the following:

  • Active windows
  • Files and folders
  • IP address visited
  • Operating system
  • Running processes
  • USB drives
  • Users

This worm can connect to the following domains using a random port:

  • 178.61.186.27:288
  • 999mostafa999.no-ip.biz
  • 9d1.no-ip.org
  • a.servecounterstrike.com
  • abanas19.no-ip.biz
  • abdo1abdo.no-ip.biz
  • adolf2013.sytes.net
  • ahmad909.no-ip.biz:1061
  • ajeeb.zapto.org:1777
  • ali2010.no-ip.biz
  • aljabiry1.no-ip.biz
  • alnazee.no-ip.org:1993
  • alnazee.no-ip.org:3339
  • alsha2e.zapto.org
  • amere-ali.no-ip.biz
  • aore.no-ip.org
  • asmarany.no-ip.biz
  • asmarany.np-ip.biz:3133
  • aymen112233.no-ip.org
  • bifrost-jordan.zapto.org
  • big-hack.no-ip.com
  • blackhawk.myftp.biz
  • cggfhddsscds.no-ip.biz:288
  • cxxz.no-ip.biz
  • damla.no-ip.org:100
  • dhuaa.no-ip.org:4444
  • dnsip.servehttp.com:1604
  • doopy99.zapto.org
  • fadliking.sytes.net
  • fons.no-ip.info
  • frostate.no-ip.biz
  • ghoster13.no-ip.biz
  • gmail2013.no-ip.info
  • hackeralbasrah.no-ip.biz
  • haedar.no-ip.biz
  • hanan96.no-ip.bizport=3360
  • iraqi2013.servemp3.com:3010
  • jn.redirectme.net
  • klagord.no-ip.org
  • kurd2013.no-ip.biz:1177
  • localh0st.servehttp.com:300
  • loll1.no-ip.biz
  • m4b.no-ip.org
  • mda.no-ip.org
  • microsoftsystem.sytes.net
  • milito.no-ip.org
  • mohez.no-ip.org
  • msy.myvnc.com
  • naza.no-ip.biz
  • new-hacker.no-ip.org
  • oscar-bif.zapto.org:82
  • portipv6.redirectme.net:82
  • pthacker.no-ip.org
  • ramadan.zapto.org
  • sdgsg.no-ip.biz:89789
  • shawaf.sytes.net
  • shee5iq.no-ip.biz:8888
  • shee5iq.no-p.biz:8888
  • sro7.no-ip.info:1663
  • systemsxp.sytes.net
  • theghostholako.no-ip.org
  • thescorpionking.no-ip.org
  • utilesat.zapto.org:88
  • uty.myq-see.com:5510
  • wahidhackerdz.no-ip.biz
  • xkiller.no-ip.info
  • xmx.no-ip.info:81
  • xxsc.no-ip.org
  • xxxxxx.no-ip.biz
  • yahoomail.3utilities.com
  • zilol.no-ip.org
Additional information

See the VBS/Jenxcus description for more information.

Analysis by Francis Allan Tan Seng


Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:
    • crypted.vbs
    • do.vbs
    • file.vbs
    • nj-worm.vbs
    • servieca.vbs
    • system32.vbs
    • Taakj2005.vbs
    • temp.vbs
       
  • You see these entries or keys in your registry:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Value: "<malware file name>", for example, "Serviecs.vbs"
    Data: "<malware folder and file name>", for example, "%TEMP%\Serviecs.vbs"


Prevention


Alert level: Severe
First detected by definition: 1.159.2225.0
Latest detected by definition: 1.179.1345.0 and higher
First detected on: Oct 15, 2013
This entry was first published on: Oct 15, 2013
This entry was updated on: Jun 20, 2014

This threat is also detected as:
  • W32/Trojan.NFSH-6582 (Command)
  • Email-Worm.VBS.Agent.aa (Kaspersky)
  • legacyascii/AutoRun.CCSS (Norman)
  • Worm/Jenxcus.A.25 (Avira)
  • Gen:Heur.MSIL.Krypt.85 (BitDefender)
  • VBS.DownLoader.78 (Dr.Web)
  • VBS/Agent.NDJ (ESET)
  • VBS/Agent.NGB!tr (Fortinet)
  • VBS/Autorun-CAI (Sophos)