We have been seeing a lot more VBScript malware in recent months, thanks in most part to VBS/Jenxcus. Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. For the past few months we have seen the number of affected machines remain constantly high. For this reason we have included Jenxcus in the February release of the Microsoft Malicious Software Removal Tool (MSRT).
Figure 1: Jenxcus machine infections October 2013 – January 2014
Although Jenxcus is not a very complex malware, it seems to be successful in taking advantage of social engineering attacks – where the malicious script file is commonly bundled with other programs. When the program bundle is executed Jenxcus runs silently in the background. We have seen these bundled programs hosted in certain websites and also seeded in some torrent files.
Figure 2 shows an example of a spoofed YouTube site (take note that this is a fake YouTube site) that can be used to attack users of social media services such as Facebook and Twitter by luring them to watch a video. When attempting to play the video, the site serves a fake Flash Player update which is bundled with Jenxcus.
Figure 2: Jenxcus is bundled with a fake Flash Player update on a fake video hosting site
Another reason why Jenxcus is affecting a large number of machines is due to its worm capability which propagates via removable drives. If a removable drive is found on the infected machine, most Jenxcus variants create a shortcut that uses the same name as personal files found in the drive. The shortcut points to a copy of the malware, and thus users can be caught off-guard by thinking the shortcut link points to a trusted clean file. As shown in Figure 3, when the shortcut link is run it will silently execute Servieca.vbs in the background while also playing my song.mp3 to avoid any suspicion from the user.
Figure 3: When the shortcut link is run it will also silently execute Servieca.vbs
Jenxcus also has backdoor capabilities – it connects to a host which provides it with commands to execute. The host is usually hardcoded into the worm. Most of the host sites are leveraging no-ip.org to avoid being easily traced.
Figure 4: Jenxcus uses no-ip.org as its host
The latest variants of Jenxcus are now typically obfuscated to evade easy detection. Figure 5 shows an example of how an obfuscated Jenxcus variant looks.
Figure 5: An obfuscated Jenxcus variant
In this particular example, the obfuscator inserted a combination of a random set of garbage numbers and characters in between the code. Removing this would leave decimal values that, when converted to ASCII characters, would reveal the original code.
Given the tricks and evasion techniques employed by Jenxcus, we recommend you run up-to-date, real-time antimalware software and enable scanning on removable drives.
Being vigilant with your clicks and downloads will also help prevent Jenxcus and other threats from getting inside your system.
Francis Allan Tan Seng and Ferdinand Plazo