Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Mitigating JS_NEMUCOD using Trend Micro Products

    • Updated:
    • 30 Dec 2019
    • Product/Version:
    • Deep Security
    • Interscan Messaging Security Virtual Appliance
    • Interscan Web Security Virtual Appliance
    • OfficeScan
    • ScanMail for Exchange
    • Worry-Free Business Security Advanced
    • Worry-Free Business Security Standard
    • Platform:
    • N/A N/A

Trojan NEMUCOD is a downloader malware that gets another malicious programs from the Web. It's showing large number of detections worldwide and using email as its attack vector to spread its malicious payload.

NEMUCOD usually arrives as an attachment on spam mails. This attachment is in archive form which contains a JS script file inside which is copy of this trojan. It appears to be a mail about shipping notification, court order or a non-delivery report, etc with message body in plaintext format.

User has to click the attachment to execute and no exploit involved. Once user clicks the attachment, a copy of it is created in randomly-named subdirectory in temporary internet files folder.

NEMUCOD are known to download any of the following threats:

For further information on JS_NEMUCOD variants that we have already detected, click here.



Click image to enlarge.


Pattern Versions and Release Dates

PatternVersionRelease Date
AntiSpam PatternAS 1864Oct 7, 2015
Virus PatternOPR 11.967.00Oct 7, 2015
Behavior MonitoringOPR 1491November 3, 2015
Network PatternEndpoint RR 1.10135.00November 3, 2015
Damage Cleanup TemplateLatest OPR Pre-existing
Web Reputation Oct 9, 2015
Make sure to always use the latest pattern available to detect the old and new variants of JS_NEMUCOD.

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternNetwork Pattern
OfficeScan10.6 and aboveUpdate Pattern via web consoleUpdate Pattern via web consoleEnable Web Reputation Service*Update Pattern via Web consoleUpdate Pattern via Web console
Worry Free Business Security8.0 and aboveUpdate Pattern via Web consoleUpdate Pattern via Web consoleN/A
Deep Security8.0 and aboveN/AUpdate Pattern via Web consoleUpdate Pattern via Web console
ScanMailSMEX 10 and laterN/AN/AN/A
SMD 5 and laterN/AN/AN/A
InterScan MessagingIMSVA 8.0 and aboveN/AN/AN/A
InterScan WebIWSVA 6.0 and laterN/AN/AN/A
Deep DiscoveryDDI 3.0 and laterN/AN/AUpdate Pattern via web console
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.


For recommendations and the best practices that can help you better protect your network using Trend Micro products, refer to this link .

Troubleshoot; Update; SPEC
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.