Home / malwarePDF  

Worm:VBS/Dunihi.A


First posted on 18 June 2013.
Source: Microsoft

Aliases :

Worm:VBS/Dunihi.A is also known as VBS/Agent.NDE (ESET), W32/Script.SUSPIC!tr (other), Trojan.Script.VBS.Runner.a (Rising AV).

Explanation :



When run, this VBScript worm creates a copy of itself in either %TEMP%, %APPDATA% or %USERPROFILE% with a random file name, for example:

  • %TEMP%\bhabnxsgne.vbs
  • %APPDATA%\zxtpfcazlb.vbs


The worm modifies the following registry entry so the malware runs each time you start your computer.

In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "<MalwareFilename>", for example, "bhabnxsgne"
With data: "wscript.exe //B "<folder>\<MalwareFilename>.vbs"", for example, "wscript.exe //B "%TEMP%\bhabnxsgne.vbs""

The worm also copies itself in the <startup folder>.

It creates the registry key HKLM\software\<MalwareFilename> as an infection marker.

Spreads via...

This worm spreads via removable storage devices, such as floppy disk drives or a USB flash drives.

It checks your computer for removable drives. If a removable drive is found the worm copies itself into that drive. It creates several link (.lnk) files that run the VBScript worm.

The .lnk file names are created using the file names already on the removable drive.

For example: If there is a file called sample.doc on the removable device, the worm creates a file called sample.lnk. This .lnk file redirects to a VBScript file that installs another copy of itself on the removable drive. The worm then changes the attributes of the sample.doc file to "hidden" and "system" to hide the legitimate file. It does this to encourage you to click on the .lnk file and run the worm.

In this example the removable drive would look like this before infection:



And this after infection:



Payload

Allows backdoor access and control

Worm:VBS/Dunihi.A contacts a remote server using a HTTP POST command.

It sends the following information about your computer to the server:

  • Disk volume serial number
  • Computer name
  • User name
  • Operating system information, for example, the name and version
  • Antimalware software details


Once it receives information about your computer the remote server replies to the worm with instructions on what to do next. The commands may be any of the following:

  • Run a command in the system
  • Download and run a file, including other malware
  • Update the worm
  • Remove the worm after an update or after other malware is run


We have seen the worm contact the following remote servers:

  • abdnjworm.no-ip.biz
  • abocasse.zapto.org
  • ahmedghost.no-ip.info
  • b-trese.no-ip.biz
  • boucraa.no-ip.org
  • dd.no-ip.bz
  • debili1.no-ip.biz
  • fuck-all.no-ip.info
  • hackers1990.no-ip.org
  • heartbraker.no-ip.biz
  • jnyn-99.no-ip.org
  • mda.no-ip.org
  • mmrick.zapto.org
  • mntm.no-ip.biz
  • mootje01.no-ip.org
  • mozaya46415.zapto.org
  • rouge166821.no-ip.biz
  • vanonymous.no-ip.org
  • vichtorio-israeli.zapto.org
  • zkzak.np-ip.biz




Analysis by Ric Robielos

Last update 18 June 2013

 

TOP