When you think of malware, you probably don’t think of old school USB worms, but our Managed Detection and Response (MDR) experts actually noticed an increase in USB worms in 2024. In this article we present an example of a USB worm from the Jenxcus family they recently ran into.

USB worms spread through infected USB drives. When an unsuspecting user plugs an infected drive into their computer, a dropper initiates a payload and infects the system. In turn, the infected system will then infect every USB device that’s plugged into it.

Some of the commands are clearly gathering system information, such as the computer’s hostname and the current username.

IWshShell3.ExpandEnvironmentStrings("%computername%");
IWshShell3.ExpandEnvironmentStrings("%username%");

Other commands query system information using Windows Management Instrumentation (WMI).

ISWbemServicesEx.ExecQuery("select * from win32_logicaldisk");
ISWbemServicesEx.ExecQuery("select * from win32_operatingsystem");

The script also adds two startup entries to the registry for persistence.

IWshShell3.RegWrite("HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\run\\Microsoft", "wscript.exe //B \"C:\\Users\\{username}\\AppData\\Roaming\\Microsoft.vbe\"", "REG_SZ");
IWshShell3.RegWrite("HKEY_LOCAL_MACHINE\\software\\microsoft\\windows\\currentversion\\run\\Microso", "wscript.exe //B \"C:\\Users\\{username}\\AppData\\Roaming\\Microsoft.vbe\"", "REG_SZ");

It also creates a fake Microsoft shortcut on the F: drive—which is usually a removable drive—which runs Microsoft.vbe to trick users.

IWshShell3.CreateShortcut("F:\System Volume Information.lnk");
IWshShortcut.TargetPath("cmd.exe");
IWshShortcut.Arguments("/c start Microsoft.vbe&start explorer System Volume Information&exit");

It queries the active antivirus protection:

ISWbemServicesEx.ExecQuery("select * from antivirusproduct", "wql", "0");

And it displays the typical USB Worm behavior by copying itself to the F: drive, where it will patiently wait for the next person to plug the flash drive into a Windows system.

IFileSystem3.CopyFile("C:\\Users\\{username}\\AppData\\Roaming\\Microsoft.vbe", "F:\\Microsoft.vbe", "true");

The script also references a URL at update32.hopto.org:82/is-ready/ for command and control, which has been active since 2015. Because of the /is-ready/ part of the URL, we suspect that this worm is a WSH Remote Access Trojan (RAT) in the Jenxcus family.

The WSH RAT (Windows Script Host Remote Access Trojan) has been around since at least 2013. Among other things, it is capable of stealing system information and stealing passwords from web browsers and email clients. It is also capable of disabling anti-malware solutions and Windows’ UAC (User Account Control).

Maybe the deprecation of VBScript in 2027 will finally put an end to these Worms. Until then, ThreatDown’s Application Block can stop unwanted scripting engines, and its Device Control can prevent unauthorized devices from accessing sensitive data and ensure that only approved devices can interact with your network.