WORM_BONDAT.H

This worm arrives via removable drives.

It drops copies of itself in all removable drives.

Arrival Details

This worm arrives via removable drives.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %AppData%\Roaming\{random}\{random}.js ← copy of itself

It drops the following files:

• %AppData%\Roaming\{random}\{random}.exe ← copy of wscript.exe
• {Removable Drive}\Drive.bat ← executes copy in removable drives
• %AppData%\Roaming\{random}\{random}

It creates the following folders:

• %AppData%\Roaming\{random}

Autostart Technique

This worm drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\Start.lnk ← points to copy of itself

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Other System Modifications

This worm modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 2

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops copies of itself in all removable drives.

Other Details

This worm connects to the following possibly malicious URL:

• http://{BLOCKED}.{BLOCKED}.31.18/

It does the following:

• It searches for folders in removable drives. It then creates shortcut using the folder names to point to the copy of itself. It hides the original folder.