copies itself as either "Serviecs.vbs", "Servieca.vbs", or "njq8.vbs". It copies itself in both the %TEMP% and <startup folder>.
To ensure that it runs every time Windows starts, it creates the following registry entries:
Sets value: "<malware file name>"
With data: "<malware folder and file name>"
Sets value: "Serviecs.vbs"
With data: "%Temp%\Serviecs.vbs"
If this worm detects a removable drive in your PC, it copies itself into every folder in that drive. It also creates a shortcut link file pointing to its copy in the removable drive.
It s copy in the removable drive might also be named "Serviecs.vbs", "Servieca.vbs", or "njq8.vbs".
Steals computer information
This worm collects the following information about your PC:
- Your PC name
- User name of the person currently logged on
- Operating system version
- Serial numbers for software
- Hardware identification numbers
Allows backdoor access and control
This worm connects to certain servers, for example:
Jn.redirect.net via port 7777
njq8.redirectme.net via port 1001
cupidon.zapto.org via port 999
It does this to receive commands from a remote attacker and to allow that attacker to run commands on your computer.
It can run the following commands from the attacker:
- download and run additional code
- uninstall itself
Analysis by Karthik Selvaraj
The following can indicate that you have this threat on your PC: