JSE Worm

The worm is mainly propagated via malicious attachments in spam emails purporting to contain invoices for products or services. The spam emails contain a .ace attachment renamed to .rar. A program such as WinRAR or 7-zip is able to open to .ace files like any other compressed file type and the user is presented with a malicious .jse file.

If the .jse file is executed by a user, Microsoft WScript.exe will run the worm and the second stage of the attack begins. The worm enumerates storage drives looking for those labelled NETWORK or REMOVABLE, creates a list of files with extensions matching those the worm is able to affect and then iterates through the file list performing two actions on each; copy itself to <same-filename.jse> and delete the original file.

The method of replacing a user’s files with copies of itself is likely used to heighten the chances of further infection as each new host may have access to unexplored areas of a network which can then be infected.

The worm communicates with Command and Control (C2) servers to download additional malicious payloads such as ransomware and banking trojans.

At the time of publication only a limited number of anti virus vendors identify the worm as malware.