VBS_DUNIHI.CJ

 Analysis by: Jennifer Gumban

 ALIASES:

Troj/VBS-BS (Sophos)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

  TECHNICAL DETAILS

File Size:

15,977 bytes

File Type:

VBS

Initial Samples Received Date:

28 Oct 2013

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

  • %TEMP%\Servieca.vbs

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Servieca.vbs = "%TEMP%\Servieca.vbs"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Servieca.vbs = "%TEMP%\Servieca.vbs"

It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

  • %User Profile%\Start Menu\Programs\Startup\Servieca.vbs

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_USERS \{SID}
njq8 = "n"

Web Browser Home Page and Search Page Modification

This Trojan modifies the Internet Explorer Zone Settings.

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://facebookjordan.{BLOCKED}o.org:99/ready

NOTES:

This malware drops shortcut files pointing to the copy of itself in removable drives. The dropped .LNK files use the names of the folders, subfolders and files located on the said drives for their file names. It then sets the attributes of the original folders to System and Hidden to trick the user into clicking the .LNK files.