Summary
Trojan NEMUCOD is a downloader malware that gets another malicious programs from the Web. It's showing large number of detections worldwide and using email as its attack vector to spread its malicious payload.
NEMUCOD usually arrives as an attachment on spam mails. This attachment is in archive form which contains a JS script file inside which is copy of this trojan. It appears to be a mail about shipping notification, court order or a non-delivery report, etc with message body in plaintext format.
User has to click the attachment to execute and no exploit involved. Once user clicks the attachment, a copy of it is created in randomly-named subdirectory in temporary internet files folder.
NEMUCOD are known to download any of the following threats:
For further information on JS_NEMUCOD variants that we have already detected, click here.
JS_NEMUCOD: INFECTION CHAIN and LAYERED SOLUTION
Click image to enlarge.
Pattern Versions and Release Dates
| Pattern | Version | Release Date |
|---|
| AntiSpam Pattern | AS 1864 | Oct 7, 2015 |
| Virus Pattern | OPR 11.967.00 | Oct 7, 2015 |
| Behavior Monitoring | OPR 1491 | November 3, 2015 |
| Network Pattern | Endpoint RR 1.10135.00 | November 3, 2015 |
| Damage Cleanup Template | Latest OPR | Pre-existing |
| Web Reputation | | Oct 9, 2015 |
Make sure to always use the latest pattern available to detect the old and new variants of JS_NEMUCOD.
Solution Map - What should customers do?
| Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Network Pattern |
|---|
| OfficeScan | 10.6 and above | Update Pattern via web console | Update Pattern via web console | Enable Web Reputation Service* | Update Pattern via Web console | Update Pattern via Web console |
|---|
| Worry Free Business Security | 8.0 and above | Update Pattern via Web console | Update Pattern via Web console | N/A |
|---|
| Deep Security | 8.0 and above | N/A | Update Pattern via Web console | Update Pattern via Web console |
|---|
| ScanMail | SMEX 10 and later | N/A | N/A | N/A |
|---|
| SMD 5 and later | N/A | N/A | N/A |
|---|
| InterScan Messaging | IMSVA 8.0 and above | N/A | N/A | N/A |
|---|
| InterScan Web | IWSVA 6.0 and later | N/A | N/A | N/A |
|---|
| Deep Discovery | DDI 3.0 and later | N/A | N/A | Update Pattern via web console |
|---|
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.
Recommendations
For recommendations and the best practices that can help you better protect your network using Trend Micro products, refer to this link .
