Follow:

 

Worm:VBS/Jenxcus.A


Microsoft security software detects and removes this threat.

Worm:VBS/Jenxcus.A is a worm that spreads through removable drives. It allows backdoor access and control of your computer by a remote attacker.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

Worm:VBS/Jenxcus.A copies itself as either "Serviecs.vbs", "Servieca.vbs", or "njq8.vbs". It copies itself in both the %TEMP% and <startup folder>.

To ensure that it runs every time Windows starts, it creates the following registry entries:

In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "<malware folder and file name>"

For example:

In subkeys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Serviecs.vbs"
With data: "%Temp%\Serviecs.vbs"

Spreads via...

Removable drives

If this worm detects a removable drive in your computer, it copies itself into every folder in that drive. It also creates a shortcut link file pointing to its copy in the removable drive.

It s copy in the removable drive might also be named "Serviecs.vbs", "Servieca.vbs", or "njq8.vbs".

Payload

Steals computer information

This worm collects the following information about your computer:

  • Your computer name
  • User name of the person currently logged on
  • Operating system version
  • Serial numbers for software
  • Hardware identification numbers

Allows backdoor access and control

This worm connects to certain servers, for example:

  • Jn.redirect.net via port 7777
  • njq8.redirectme.net via port 1001
  • cupidon.zapto.org via port 999

It does this to receive commands from a remote attacker and to allow that attacker to run commands on your computer.

It can run the following commands from the attacker:

  • exec - download and run additional code
  • uns - uninstall itself

Analysis by Karthik Selvaraj


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:
    "Serviecs.vbs", "Servieca.vbs", or "njq8.vbs" in both %TEMP% and <startup folder>

Prevention


Alert level: Severe
First detected by definition: 1.145.2049.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 18, 2013
This entry was first published on: Mar 18, 2013
This entry was updated on: Jul 24, 2013

This threat is also detected as:
  • VBS/AutoRun.DZ (Avira)
  • Type_VBS_Autorun (BitDefender)
  • Type_VBS_Autorun (Ikarus)
  • VBS/Autorun.worm.aafi (McAfee)
  • VBS/Autorun-CAI (Sophos)
  • VBS.Runauto (Symantec)
  • VBS_OTORUN.IY (Trend Micro)