Worm.WSF.DUNIHI.NLJ

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Führt Befehle eines externen, böswilligen Benutzers aus, wodurch das betroffene System gefährdet wird.

Übertragungsdetails

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

Schleust die folgenden Dateien ein:

• %User Profile%\{Malware Filename} - if %User Profile% exists
• %Temp%\{Malware Filename} - if %User Profile% does not exist

(Hinweis: %User Profile% ist der Ordner für Benutzerprofile des aktuellen Benutzers, normalerweise C:\Windows\Profile\{Benutzername} unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername} unter Windows NT, C:\Dokumente und Einstellungen\{Benutzername} unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{user name} unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %Temp% ist der Windows Ordner für temporäre Dateien, normalerweise C:\Windows\Temp oder C:\WINNT\Temp.)

Autostart-Technik

Fügt folgende Registrierungseinträge hinzu, um bei jedem Systemstart automatisch ausgeführt zu werden.

If %User Profile% exists:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware Name} = wscript.exe //B "%User Profile%\{Malware Filename}"

If %User Profile% does not exist:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware Name} = wscript.exe //B "%Temp%\{Malware Filename}"

If %User Profile% exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Malware Name} = wscript.exe //B "%User Profile%\{Malware Filename}"

If %User Profile% does not exist:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Malware Name} = wscript.exe //B "%Temp%\{Malware Filename}"

Schleust die folgenden Dateien in den benutzerspezifischen Autostart-Ordner von Windows ein, um sich selbst bei jedem Systemstart auszuführen.

• %User Startup%\{Malware Filename}

(Hinweis: %User Startup% ist der Ordner 'Autostart' des aktuellen Benutzers, normalerweise C:\Windows\Profile\{Benutzername}\Startmenü\Programme\Autostart unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Startmenü\Programme\Autostart unter Windows NT, C:\Documents and Settings\{Benutzername}\Startmenü\Programme\Autostart unter Windows 2003(32-bit), XP und 2000(32-bit) und C:\Users\{Benutzername}\AppData\Roaming\Microsoft\Windows\Startmenü\Programme\Autostart unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)

Andere Systemänderungen

Fügt die folgenden Registrierungseinträge hinzu:

If it is executed in the root of a drive:
HKEY_LOCAL_MACHINE\SOFTWARE\{Malware Name}
(Default) = true - {Current Date in MM/DD/YYYY format}

If it is not executed in the root of a drive:
HKEY_LOCAL_MACHINE\SOFTWARE\{Malware Name}
(Default) = false - {Current Date in MM/DD/YYYY format}

Verbreitung

Schleust folgende Kopie(n) von sich selbst in alle Wechsellaufwerke ein:

• {Removable Drive Letter}\{Malware Filename} → sets attribute to Hidden and System

Backdoor-Routine

Führt die folgenden Befehle eines externen, böswilligen Benutzers aus:

• excecute<|>{Command} → it executes an expression or code.
• update<|>{Codes} → it updates the existing {Malware Path}\{Malware Filename} by writing updated codes to it.
  • It restarts the updated malware by running the following process:
    • wscript.exe //B {Malware Path}\{Malware Filename}
• uninstall → it does the following:
  • It deletes created autostart registry entries.
  • It deletes %User Startup%\{Malware Filename}.
  • It deletes {Malware Path}\{Malware Filename}.
  • It deletes all shortcut files in active removable drives.
  • It deletes dropped {Malware Filename} in active removable drives.
  • It sets the attributes of original files and folders in active removable drives to normal.
  • It terminates itself afterwards.
• send<|>{File URL}<|>{Directory} → it does the following:
  • It connects to the following URL through HTTP POST to download a file from the {File URL}:
    • http://{BLOCKED}ns.net:13/is-sending<|>{File URL}
  • It saves the downloaded file as:
    • {Directory}\{Filename from File URL}
  • If {Directory} is not specified, it saves the downloaded file as:
    • %User Profile%\{Filename from File URL}
  • It executes the downloaded file afterwards.
• site-send<|>{File URL}<|>{Filename} → it does the following:
  • It connects to the {File URL} through HTTP GET to download a file.
  • It saves the downloaded file as:
    • %User Profile%\{Filename}
  • It executes the downloaded file afterwards.
• recv<|>{File Path}\{Filename} → it does the following:
  • It connects to the following URL through HTTP POST to upload a file's content specified in {File Path}\{Filename}:
    • http://{BLOCKED}ns.net:13/is-recving<|>{File Path}\{Filename}
• enum-driver → it does the following:
  • It connects to the following URL and sends the following information through HTTP POST:
    • http://{BLOCKED}ns.net:13/is-enum-driver
    • Active drives and their types.
  • It sets the User-Agent header in the HTTP request using the following system information:
    • {Volume Serial Number}<|>{Computer Name}<|>{Username}<|>{OS Caption}<|>plus<|>{Antivirus Product Name} | nan-av<|>true | false - {Current Date}
• enum-faf<|>{Directory} → it does the following:
  • It connects to the following URL and sends the following information through HTTP POST:
    • http://{BLOCKED}ns.net:13/is-enum-faf
    • List of files, folders, and subfolders, and their attributes in {Directory}
  • It sets the User-Agent header in the HTTP request using the following system information:
    • {Volume Serial Number}<|>{Computer Name}<|>{Username}<|>{OS Caption}<|>plus<|>{Antivirus Product Name} | nan-av<|>true | false - {Current Date}
• enum-process → it does the following:
  • It connects to the following URL and sends the following information through HTTP POST:
    • http://{BLOCKED}ns.net:13/is-enum-process
    • List of running processes including process name, PID, and executable path.
  • It sets the User-Agent header in the HTTP request using the following system information:
    • {Volume Serial Number}<|>{Computer Name}<|>{Username}<|>{OS Caption}<|>plus<|>{Antivirus Product Name} | nan-av<|>true | false - {Current Date}
• cmd-shell<|>{Command} → it does the following:
  • It connects to the following URL and sends the following information through HTTP POST:
    • http://{BLOCKED}ns.net:13/is-cmd-shell
    • Output of the executed command including error output.
  • It sets the User-Agent header in the HTTP request using the following system information:
    • {Volume Serial Number}<|>{Computer Name}<|>{Username}<|>{OS Caption}<|>plus<|>{Antivirus Product Name} | nan-av<|>true | false - {Current Date}
  • It executes the following command:
    • %comspec% /c {Command}
• delete<|>{File Path}\{Filename} | {Directory} → it deletes the specified file or folder.
• exit-process<|>{PID} → it terminates a process specified by its PID.
• sleep<|>{Value} → it sets the duration of sleep using a specified value in milliseconds.

Andere Details

Fügt die folgenden Registrierungsschlüssel hinzu:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Malware Name}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware Name}

HKEY_LOCAL_MACHINE\SOFTWARE
{Malware Name}

Es macht Folgendes:

• It creates shortcuts of all files, folders, and subfolders in active removable drives using the same file name, folder name, and icon.
• It sets the attributes of all files, folders, and subfolders, excluding shortcut files to Hidden and System in active removable drives.
• The created shortcut files contain the following command line in their target:
  • For files:
    • %System%\cmd.exe /c start {Malware Filename}&start {Original Filename}&exit → opens both the copied malware and the original file.
  • For folders and subfolders:
    • %System%\cmd.exe /c start {Malware Filename}&start explorer {Original Folder Name}&exit → opens both the copied malware and the original folder.
• It loops its routine indefinitely ensuring it affects all current and newly inserted removable drives.

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)