Follow:

 

Worm:VBS/Jenxcus.A


Microsoft security software detects and removes this threat.

This worm can give a malicious hacker access and control of your PC.

It spreads through infected removable drives, such as USB flash drives.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Worm:VBS/Jenxcus.A copies itself as either "Serviecs.vbs", "Servieca.vbs", or "njq8.vbs". It copies itself in both the %TEMP% and <startup folder>.

To ensure that it runs every time Windows starts, it creates the following registry entries:

In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "<malware folder and file name>"

For example:

In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Serviecs.vbs"
With data: "%Temp%\Serviecs.vbs"

Spreads via...

Removable drives

If this worm detects a removable drive in your PC, it copies itself into every folder in that drive. It also creates a shortcut link file pointing to its copy in the removable drive.

It s copy in the removable drive might also be named "Serviecs.vbs", "Servieca.vbs", or "njq8.vbs".

Payload

Steals computer information

This worm collects the following information about your PC:

  • Your PC name
  • User name of the person currently logged on
  • Operating system version
  • Serial numbers for software
  • Hardware identification numbers

Allows backdoor access and control

This worm connects to certain servers, for example:

  • Jn.redirect.net via port 7777
  • njq8.redirectme.net via port 1001
  • cupidon.zapto.org via port 999

It does this to receive commands from a remote attacker and to allow that attacker to run commands on your computer.

It can run the following commands from the attacker:

  • exec - download and run additional code
  • uns - uninstall itself

Analysis by Karthik Selvaraj


Symptoms

The following can indicate that you have this threat on your PC:


Prevention


Alert level: Severe
First detected by definition: 1.145.2049.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 18, 2013
This entry was first published on: Mar 18, 2013
This entry was updated on: Nov 05, 2014

This threat is also detected as:
  • VBS/AutoRun.DZ (Avira)
  • Type_VBS_Autorun (BitDefender)
  • Type_VBS_Autorun (Ikarus)
  • VBS/Autorun.worm.aafi (McAfee)
  • VBS/Autorun-CAI (Sophos)
  • VBS.Runauto (Symantec)
  • VBS_OTORUN.IY (Trend Micro)