Worm:VBS/Jenxcus.A

Posted: May 24, 2013

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	9,562
Threat Level:	5/10
Infected PCs:	99,551

First Seen:	May 24, 2013
Last Seen:	January 26, 2025
OS(es) Affected:	Windows

Worm:VBS/Jenxcus.A is a Windows worm that attempts to compromise the infected PC's security to grant criminals control over it, in a fashion identical to that of a stereotypical backdoor Trojan. Even with Worm:VBS/Jenxcus.A seemingly replaced by Worm:VBS/Dunihi.A, an upgrade to it with additional command support, Worm:VBS/Jenxcus.A still is a major security risk for any computer compromised by Worm:VBS/Dunihi.A, with the potential for installing other threatening software or allowing criminals to access sensitive information. Anti-malware solutions should be engaged for removing Worm:VBS/Jenxcus.A whenever it's necessary, and malware researchers particularly encourage scanning any removable devices that may be compromised by Worm:VBS/Jenxcus.A for the purposes of self-distribution onto new systems.

The Ways Jenxcus Puts a Jinx on Your Computer

Along with its heir apparent, Worm:VBS/Dunihi.A, Worm:VBS/Jenxcus.A is part of a rise in Visual Basic-based worms targeting Latin American countries with attempts to compromise PCs. Early attacks were targeted at specific institutions, although Worm:VBS/Jenxcus.A (also referenced as VBS_JENXCUS) now appears to be distributed with less discrimination than previously, and may affect casual PC users. Worm:VBS/Jenxcus.A's choice of Visual Basic as a coding language makes Worm:VBS/Jenxcus.A an unlikely threat for non-Windows computers, although malware experts find that most versions of Windows may be compromised through Worm:VBS/Jenxcus.A.

Worm:VBS/Jenxcus.A only includes support for a scant handful of commands, but these functions are sufficiently broad that they still possess great potential for harming your PC. The most problematic functions include:

Creating a backdoor that lets criminals access your computer, potentially to steal information, install other threats or recruit your PC into an illegal botnet.
Duplicating itself on removable devices such as USB drives. Worm:VBS/Jenxcus.A duplicates itself by creating risky LNK files that take the place of various native files on the device, with the latter hidden (by adding the 'System' flag, which makes the affected file invisible on default Windows settings).

Deworming a PC that's Had a Brush with Old Malware

Worm:VBS/Jenxcus.A doesn't have as many attack features at its command as many other worms, including its apparent successor, Worm:VBS/Dunihi.A. Nonetheless, any kind of backdoor vulnerability is a high-level PC security issue that should be remedied as soon as possible. While malware researchers continue to recommend using dedicated anti-malware tools for removing worms like Worm:VBS/Jenxcus.A, any anti-malware system scans in use also should cover removable devices that could be compromised by Worm:VBS/Jenxcus.A's LNK files.

Symptoms of Worm:VBS/Jenxcus.A's presence primarily are limited to the changes Worm:VBS/Jenxcus.A makes to the aforementioned removable devices. Files that don't perform their intended functions, show unusual date stamps or are accompanied by unrecognized new files (such as a randomly-named VBScript file) are some of the most obvious signatures. However, backdoor attacks often don't show symptoms of their presence, even while they dismantle your PC's security wholesale.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%TEMP%\w.vbs

File name: w.vbs
Size: 30.27 KB (30272 bytes)
MD5: 01f694582331c72efaf12d84d5b7e346
Detection count: 274
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: April 1, 2016

%TEMP%\microsoft.vbs

File name: microsoft.vbs
Size: 85.14 KB (85149 bytes)
MD5: c4a4fcb63c5adb236a420f53dcdf6d17
Detection count: 262
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: March 23, 2016

%TEMP%\tptebpiway..vbs

File name: tptebpiway..vbs
Size: 128.73 KB (128731 bytes)
MD5: 59184a8fe0689c488d1fec6a6f70beb8
Detection count: 197
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: July 21, 2017

%APPDATA%\Java Script\JavaUpdate.js

File name: JavaUpdate.js
Size: 195.43 KB (195437 bytes)
MD5: 4eff5b4ea08190464520ac138e955555
Detection count: 155
File type: JavaScript file
Mime Type: unknown/js
Path: %APPDATA%\Java Script
Group: Malware file
Last Updated: August 2, 2016

%TEMP%\wgvaaplont..vbs

File name: wgvaaplont..vbs
Size: 103.68 KB (103681 bytes)
MD5: adb0de4e9812a81807e138fb7a8a2fb6
Detection count: 119
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: July 21, 2017

%TEMP%\njq8IsHere.vbs

File name: njq8IsHere.vbs
Size: 55.22 KB (55228 bytes)
MD5: 2d7d98a2354aa17e6788e13b01956b3a
Detection count: 93
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: April 1, 2016

%APPDATA%\aiasfacoafiasksf.vbs

File name: aiasfacoafiasksf.vbs
Size: 24.57 KB (24576 bytes)
MD5: 956b497b00ec65a69d104dc041d799ea
Detection count: 89
Mime Type: unknown/vbs
Path: %APPDATA%
Group: Malware file
Last Updated: January 21, 2017

%TEMP%\Servieca.vbs

File name: Servieca.vbs
Size: 65.53 KB (65536 bytes)
MD5: 75fd019c50bcc2e6c9c87a8d3bdee456
Detection count: 75
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: March 23, 2016

%TEMP%\help.vbs

File name: help.vbs
Size: 16.38 KB (16384 bytes)
MD5: 454cbd2770981525a7343b8f7ec047f7
Detection count: 61
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: April 1, 2016

%APPDATA%\notepad\notepad.vbe

File name: notepad.vbe
Size: 163.84 KB (163840 bytes)
MD5: 8410fb812404192b8b64e660b58cedf6
Detection count: 59
Mime Type: unknown/vbe
Path: %APPDATA%\notepad
Group: Malware file
Last Updated: May 7, 2016

%ALLUSERSPROFILE%\h.vbs

File name: h.vbs
Size: 475.13 KB (475136 bytes)
MD5: 00a0669becd62d05cb263a92e39c266a
Detection count: 42
Mime Type: unknown/vbs
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: March 30, 2016

%SYSTEMDRIVE%\Users\<username>\appdata\local\temp\x-men.exe

File name: x-men.exe
Size: 835.83 KB (835835 bytes)
MD5: ab8d1191478a9380a5db8fdb2b10fac1
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\local\temp\x-men.exe
Group: Malware file
Last Updated: June 26, 2020

%TEMP%\DragonBound.vbs

File name: DragonBound.vbs
Size: 90.4 KB (90403 bytes)
MD5: 20507787a47b320465369c207d3d127c
Detection count: 31
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: April 1, 2016

%SYSTEMDRIVE%\Users\<username>\AppData\Roaming\systeme.vbs

File name: systeme.vbs
Size: 561.42 KB (561424 bytes)
MD5: 671d85bfd0f31e2e981343c744f7445b
Detection count: 21
Mime Type: unknown/vbs
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\systeme.vbs
Group: Malware file
Last Updated: May 11, 2022

%APPDATA%\iso.vbs

File name: iso.vbs
Size: 581.28 KB (581288 bytes)
MD5: 55d3cc7a0de85f29bd63775c173352b5
Detection count: 7
Mime Type: unknown/vbs
Path: %APPDATA%
Group: Malware file
Last Updated: March 23, 2016

%TEMP% and [startup folder]\Serviecs.vbs

File name: %TEMP% and [startup folder]\Serviecs.vbs
Mime Type: unknown/vbs
Group: Malware file

%TEMP% and [startup folder]Servieca.vbs

File name: %TEMP% and [startup folder]Servieca.vbs
Mime Type: unknown/vbs
Group: Malware file

%TEMP% and [startup folder]njq8.vbs

File name: %TEMP% and [startup folder]njq8.vbs
Mime Type: unknown/vbs
Group: Malware file

More files

Registry Modifications

The following newly produced Registry Values are:

File name without pathlllllllll1349327881578033048firewall.vbsRegexp file mask%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\CSrss.exe%ALLUSERSPROFILE%\tmp[RANDOM CHARACTERS].tmp.vbs%APPDATA%\[RANDOM CHARACTERS]..vbe%APPDATA%\cool.vbs%APPDATA%\microsoft.vbs%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\[RANDOM CHARACTERS]..vbe%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cool.vbs%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\home.vbe%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\iTunesHelper.vbe%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\njw0rm.exe%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Systeme.exe%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\tmp[RANDOM CHARACTERS].tmp.vbs%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs%APPDATA%\mugen.vbs%APPDATA%\notepad\notepad.vbe%APPDATA%\tmp[RANDOM CHARACTERS].tmp.vbs%TEMP%\[RANDOM CHARACTERS]..vbe%TEMP%\iTunesHelper.vbe%TEMP%\Microsofts.vbs%TEMP%\mugen.vbs%TEMP%\njw0rm.exe%TEMP%\WinUpdat.vbsHKEY..\..\{Value}HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "" = "[malware folder and file name]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "" = "[malware folder and file name]"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Serviecs.vbs" = "%Temp%\Serviecs.vbs"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Serviecs.vbs" = "%Temp%\Serviecs.vbs"