Installation
VBS/Jenxcus installs itself in any of the following folders:
This threat can be installed with any of these file names:
- crypted.vbs
- do.vbs
- file.vbs
- Kj-w0rm.vbs
- nj-worm.vbs
- servieca.vbs
- smss-DoOoMs.vbe
- smss-DoOoMs.vbs
- system32.vbs
- Taakj2005.vbs
- temp.vbs
- w0rm.vbs
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "<malware folder and file name>"
For example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Serviecs.vbs"
With data: "%TEMP%\Serviecs.vbs"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "wscript.exe //B <malware file name>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<legitimate process name>"
With data: ""<legitimate process>" /minimized /regrun, wscript.exe //B "<malware folder and file name.lnk>""
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Skype"
With data: ""%ProgramFiles%\Skype\Phone\Skype.exe" /minimized /regrun, wscript.exe //B "%temp%\\Media Player\smss-DoOoMp.lnk""
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "<malware folder and file name>"
With data: "explorer.exe, wscript.exe //B "<malware folder and file name>"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "<malware folder and file name>"
With data: "<system folder>\userinit.exe,wscript.exe //B "<malware folder and file name>"
Spreads through...
If this worm detects a removable drive connected to your PC, it copies itself into every folder in that drive. It also creates a shortcut link pointing to its copy in the removable drive.
Typically, this threat gets onto your PC from a drive-by download attack. It might also have installed itself onto your PC if you visit a compromised webpage or if you use an infected removable drive.
The threat drops the malicious file in the infected removable drive with any of these names:
- help.vbs
- njq8.vbs
- Servieca.vbs
- Serviecs.vbs
Payload
Gives a malicious hacker access and control of your PC
VBS/Jenxcus can give a malicious hacker access and control of your PC to:
- Close the malware
- Display message boxes
- Do a DoS or DDoS attack
- Download and execute other malware (like Bitcoin Miner)
- Open webpages
- Restart the malware
- Run files
- Run remote shell
- Shutdown, logoff, and restart your system
- Start Live Quran site
- Steal your online user names and passwords and the URL you entered them on
- Terminate antivirus related processes for example, SpyTheSpy.exe, TiGeR-Firewall.exe, and bavtray.exe
- Uninstall the malware
- Update files
Some variants of this malware have anti-VM checking capabilities and can terminate and uninstall itself when found to be running in a VM environment.
It also sends information about your PC to a malicious hacker, such as the following:
- Active windows
- Antivirus product installed
- CPU information
- Firewall information
- GPU information
- Hardware identification
- Installed .NET and its version
- IP address visited
- Malware installed date
- Operating system
- Passwords
- Processor information
- Product name, productI D, and product key
- Size of RAM
- USB drives
- User names
It also steals the following information:
- No-IP/DUC passwords
- Chrome-stored passwords
- FileZilla passwords
This worm can connect to the following domains using a random port:
| 178.61.186.27:288 |
damla.no-ip.org:100 |
naza.no-ip.biz |
| 999mostafa999.no-ip.biz |
dhuaa.no-ip.org:4444 |
new-hacker.no-ip.org |
| 9d1.no-ip.org |
dnsip.servehttp.com:1604 |
oscar-bif.zapto.org:82 |
| a.servecounterstrike.com |
doopy99.zapto.org |
portipv6.redirectme.net:82 |
| abanas19.no-ip.biz |
fadliking.sytes.net |
pthacker.no-ip.org |
| abdo1abdo.no-ip.biz |
fons.no-ip.info |
ramadan.zapto.org |
| adolf2013.sytes.net |
frostate.no-ip.biz |
sdgsg.no-ip.biz:89789 |
| ahmad909.no-ip.biz:1061 |
ghoster13.no-ip.biz |
shawaf.sytes.net |
| ajeeb.zapto.org:1777 |
gmail2013.no-ip.info |
shee5iq.no-ip.biz:8888 |
| ali2010.no-ip.biz |
hackeralbasrah.no-ip.biz |
shee5iq.no-p.biz:8888 |
| aljabiry1.no-ip.biz |
haedar.no-ip.biz |
sro7.no-ip.info:1663 |
| alnazee.no-ip.org:1993 |
hanan96.no-ip.bizport=3360 |
systemsxp.sytes.net |
| alnazee.no-ip.org:3339 |
iraqi2013.servemp3.com:3010 |
theghostholako.no-ip.org |
| alsha2e.zapto.org |
jn.redirectme.net |
thescorpionking.no-ip.org |
| amere-ali.no-ip.biz |
klagord.no-ip.org |
utilesat.zapto.org:88 |
| aore.no-ip.org |
kurd2013.no-ip.biz:1177 |
uty.myq-see.com:5510 |
| asmarany.no-ip.biz |
localh0st.servehttp.com:300 |
wahidhackerdz.no-ip.biz |
| asmarany.np-ip.biz:3133 |
loll1.no-ip.biz |
xkiller.no-ip.info |
| aymen112233.no-ip.org |
m4b.no-ip.org |
xmx.no-ip.info:81 |
| bifrost-jordan.zapto.org |
mda.no-ip.org |
xxsc.no-ip.org |
| big-hack.no-ip.com |
microsoftsystem.sytes.net |
xxxxxx.no-ip.biz |
| blackhawk.myftp.biz |
milito.no-ip.org |
yahoomail.3utilities.com |
| cggfhddsscds.no-ip.biz:288 |
mohez.no-ip.org |
zilol.no-ip.org |
| cxxz.no-ip.biz |
msy.myvnc.com |
|
Additional Information
See the Win32/Jenxcus family description for more information.
Analysis by Donna Sibangan
