What A USB .lnk Worm (Jenxcus) Looks Like To The End User

USB worms are one of those infections that should be long dead except that users keep them alive. All it takes is an unprotected computer at home and a user who decides to use their USB stick on their home computer as well as at work.

I've come across a lot of USB worms involving shortcut files in my work experience and I've found that many SOC analysts have a hard time understanding what's going on because they've never actually seen what's happening from the user's point of view. I've scoured the web for examples that demonstrate this clearly but haven't found anything satisfactory as a teaching aide.

In this example I'll be showing a Jenxcus .vbs infection that has taken over a USB stick.

The user sits down at their computer, plugs in their infected USB stick and wants to open a file called Introducing-NMAP.pdf. The trained user might notice that all of their files are shortcuts for some reason, but most do not. All of these shortcuts (.lnk) are malicious and will infect the machine with Jenxcus.

So the user clicks Introducing-Nmap thinking they're opening their PDF file. What are they actually opening?

The command line run is actually:
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start Introducing-Nmap.pdf&exit

This runs the malicious VB script aibdrozrug..vbs and then opens Introducing-Nmap.pdf so the user is completely unaware that they've just infected their computer. To them it looks like their PDF opened normally, albeit after a small delay.

But where are the real files? And where is the malicious aibdrozrug..vbs file? They're hidden files. Why don't we see them? Because by default Windows hides extensions for known files, as well as hidden and system files/folders.

When we uncheck these boxes, we can clearly see the malware on the USB stick. Notice how it creates shortcuts for every file and folder. All of them open the malicious .vbs script and then open their file/folder as expected.

Therefore if you're an analyst and you can see the command line data, look for &, start, exit, and explorer. The existence of these doesn't necessarily mean it's malware, but if you also see a suspicious looking script it's probably evil. Also, the parent process of the malicious cmd.exe will be explorer.exe because the user opened this shortcut from Windows Explorer. A persistence mechanism will usually be created and the malicious .vbs will be copied to the C:\ so the machine stays infected.

Here's some example shortcuts from this infection.
Opening a File:
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start Introducing-Nmap.pdf&exit
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start androidscareware.txt&exit
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start 20160112_205327.jpg&exit
Opening a Folder:
C:\Windows\system32\cmd.exe /c start aibdrozrug..vbs&start explorer Jenxcus&exit

Here's what the Process Tree looks like for the Introducing-Nmap shortcut:

There's also malware that uses this same shortcut technique but kicks off rundll32.exe with a malicious .dll file on the USB stick. I've seen cases where the .dll filename and extension are both gibberish so it's not obvious that it's a .dll file. (Andromeda malware)

There's no vulnerability involved in this method other than tricking the user. This infection works because the Windows default setting hides known file extensions and hidden files/folders. The user has no reason to think anything is wrong.

I'm not going to dig into the .vbs file itself as it is beyond the scope of what I wanted to show here. But VirusTotal coverage is only (38/57) at the time of writing and this malware is from 2013!