Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Mitigating JS_NEMUCOD using Trend Micro Products

    • Updated:
    • 11 Feb 2016
    • Product/Version:
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Web Security Virtual Appliance 5.6
    • InterScan Web Security Virtual Appliance 6.0
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 8.0 2000/2003/2007
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Lotus Domino 5.0 zLinux
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

Trojan NEMUCOD is a downloader malware that gets another malicious programs from the Web. It's showing large number of detections worldwide and using email as its attack vector to spread its malicious payload.

NEMUCOD usually arrives as an attachment on spam mails. This attachment is in archive form which contains a JS script file inside which is copy of this trojan. It appears to be a mail about shipping notification, court order or a non-delivery report, etc with message body in plaintext format.

User has to click the attachment to execute and no exploit involved. Once user clicks the attachment, a copy of it is created in randomly-named subdirectory in temporary internet files folder.

NEMUCOD are known to download any of the following threats:

For further information on JS_NEMUCOD variants that we have already detected, click here.

JS_NEMUCOD: INFECTION CHAIN and LAYERED SOLUTION

JS_NEMUCOD

Click image to enlarge.

prescribed_soln

Pattern Versions and Release Dates

PatternVersionRelease Date
AntiSpam PatternAS 1864Oct 7, 2015
Virus PatternOPR 11.967.00Oct 7, 2015
Behavior MonitoringOPR 1491November 3, 2015
Network PatternEndpoint RR 1.10135.00November 3, 2015
Damage Cleanup TemplateLatest OPR Pre-existing
Web Reputation Oct 9, 2015
Details
Public
 
Make sure to always use the latest pattern available to detect the old and new variants of JS_NEMUCOD.

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternNetwork Pattern
OfficeScan10.6 and aboveUpdate Pattern via web consoleUpdate Pattern via web consoleEnable Web Reputation Service*Update Pattern via Web consoleUpdate Pattern via Web console
Worry Free Business Security8.0 and aboveUpdate Pattern via Web consoleUpdate Pattern via Web consoleN/A
Deep Security8.0 and aboveN/AUpdate Pattern via Web consoleUpdate Pattern via Web console
ScanMailSMEX 10 and laterN/AN/AN/A
SMD 5 and laterN/AN/AN/A
InterScan MessagingIMSVA 8.0 and aboveN/AN/AN/A
InterScan WebIWSVA 6.0 and laterN/AN/AN/A
Deep DiscoveryDDI 3.0 and laterN/AN/AUpdate Pattern via web console
 
Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

For recommendations and the best practices that can help you better protect your network using Trend Micro products, refer to this link .

Premium
Internal
Rating:
Category:
Troubleshoot; Update; SPEC
Solution Id:
1113536
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.