Worm:VBS/Jenxcus.K

This worm (okyy.vbs) recently infected my usb flash drive and laptop. Submitted this sample to Avast 2days ago but still no definition file is released for it.

By the way I played around with Sandbox using this worm to know its movements. I thought I would be safe and my laptop would not be infected, but I was wrong. ;D Maybe its just my ignorance of the way Sandbox is used.

Hello,
Do you need help for malware removal? If you do, we can run system diagnostics with these two powerful tools. That will allow us to quickly ascertain whether or not malware may be running on your machine.

=> Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[
]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

[*]Then click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )

Attach here both Gmer logreports. (ARK.txt and autostart.txt)

I was able to trace and remove manually all links and files this worm had created and restored back all the attributes of the files it hide. Anyway here’s the file Farbar created for your reference.

Thanks mag86

Hi katoto,

You have lots of unnecessary staff running on your masine but what a heack, these are legit. But masine does waiting for us to some cleaning.
It also recommendation to post me a GMER’s ark and autostart reports as this tool works on high kernel level, it can tell me if there is any suspicious (rootkit based malware) activity & running if this activity is hidden from the FRST, primary diagnostic tools.

Before we begin, notice:

  • You have been use MSConfig tool to disable starup items. You have disable lots of legit entrys including malwarebytes related.
    So, run msconfig and enable these services.

MSCONFIG\Services: MBAMScheduler => 2
MSCONFIG\Services: MBAMService => 2

AntiVirus leftovers

  • I see some previusly AV leftovers still running in your system. These leftovers can conflict with current AV setup.

Go here and download AV-Uninstaller tool for Norton/Symantec Corporate and run the tool.
http://singularlabs.com/uninstallers/security-software/

When tool finish his work, restart the computer

… … … … … … … … … … … … … …

FRST shows that malware isn’t active on your system but it shows some configuration remnants that need to be removed. Note, your USB device might be infected as well, so do NOT attach USB mem-device while cleaning with FRST is in progress. For USB-based malware we will use MCShield software to check that later on …


FRST’s Fix


This FixList shall tell FRST to target the ‘bad staff’ …

Download FixList.txt from attachments …
FixList.txt must be in the same location where FRST.exe tool is!

Re-run FRST as you did before …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt … When finished, it will produce a log fixlog.txt and will keep that log in the same folder where FRST.exe is.

Attach here fixlog.txt logreport.


MCShield Scan


Now let’s check the USB devices. Tool shall check for malware on USB and if there is, we will remove him

Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[
]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Hi again magna86,

i agree to have lots of stuff in my laptop. :slight_smile: Thats becuz i like exploring with so many programs.

and yes theres lots of leftovers too from those hard to get rid software like the symantec endpoint protection. NoNav cant even get rid of it.

*** i managed to get rid symantec endpoint using cleanwipe utility ***

Hi,

What abaut AllScans.txt?

notice for myself: re-check gmer logs

I omitted the USB scanning.

I still have a packed sample of this worm… Checked and scanned it again with avast as of this writing, but still it does not detect it. Seems the avast guys are not taking this worm seriously. im kinda turned-off… :-[ ;D my love with avast is fading away…haha

have you sendt the sample to avast lab?

also attach mcshield allscan log…

Hi pondus!

As what i’ve said, i already sent it to avast. My concern now is the time it is taking for the avast team to release a definition file for the viruses submitted to them. Three days or more is somehow disturbing for me.

As regards to this worm, it is already contained and wont be inflicting any harm to my lappy any more.

Hi guys!

First post…

I have a “Jenxcus!lnk” worm that Avast does not recognise or see.
it only found a “mns.vbs” which looks like it goes with it.
I’m not going to switch to Microsoft essentials just form a stupid worm
What can I do that avast can remove it?

Using Avast Free, Windows 7 Ultimate

Please start your own thread and attach FRST, MCShield and OTL

sorry but what is FRST, MCShield and OTL?

Hi jakes09,

MCShield is an software to protect from USB Malware: mcshield.net

FRST is Farbar Recovery Scan Tool and OTL is listing up running services, files that have been changed in a set period of time,…

Please follow this guide and attach the logs from OTL, Malwarebytes and aswMBR(Not Win8 and newer): http://forum.avast.com/index.php?topic=53253.0

The number of AVS detecting this virus as tested from virustotal is now up from 5, the first time i chcked, to 10. And still Avast! is not in the list. Its more than a week since i uploaded the sample to Avast Lab. Any idea guys?

If you have the sample PM it to me so I can take a look and report it again. Thabks

It seems that Im not allowed to send PM. Im not even allowed to see your profile. Pls pm me your email add so that I can send it directly.

I’ll send you my secondary email…

I’ve pm’ed you. I can email you if you wish? I do have your email.

Quick overview of your VBS File.

MD5 29836cb04d4b045d09730f8ddf44ce91
SHA1 dc493a1caa4f8dbf4f5ed4883ed276f325fd1150
SHA256 cd48fc4cbe7b8fea1acd50621d20bcfaf228fe3ca3c136d47726380cd64780fb
SHA512 b9a8d6c88b460c5660513df1b531d98c8ba632cf95abb68e373f71e74f7c81d3dcaf524ad3f48be814ff8ba921b91765f6b

It is attempting to open cmd.exe (Presumably to make a bunch of Shortcuts, and hide the actual files (So another variant of Shortcut worms). It’s been classified as a VBS Worm and a Network Worm (Which the Net part I don’t believe).

it also appears to be making Keys in the registry. See code attached.


HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups

The worm doesn’t contact anything outside the computer (HTTP, Hosts, IP’s etc).

YOu can see the temp files created relating to cmd.exe*32


C:\DOCUME~1
C:\DOCUME~1\User
C:\DOCUME~1\User\LOCALS~1
C:\DOCUME~1\User\LOCALS~1\Temp
C:\DOCUME~1\User\LOCALS~1\Temp\cmd.exe
C:\DOCUME~1\User\LOCALS~1\Temp\cmd.exe.*
C:\Python27\cmd.exe
C:\Python27\cmd.exe.*
C:\PHP\cmd.exe
C:\PHP\cmd.exe.*
C:\WINDOWS\system32\cmd.exe

The flaw that appears to me, is it doesn’t modify anything to allow a Auto-Start. at least from what I can tell.