Backdoor.JS.DUNIHI.A

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following copies of itself into the affected system and executes them:

• %Application Data%\{malware file name}.js

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\WScript.exe {malware directory}\{malware file name}.js
• %System%\wscript.exe //B %Application Data%{malware file name}.js

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware file name} = "wscript.exe //B "%Application Data%{malware file name}.js"

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\{malware file name}.js

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• install -> creates autorun registry and drops copy in startup directory
• uninstall -> deletes autorun registry entry and dropped copy
• launch -> executes file
• exit -> exits current process
• receive -> receives commands
• upd -> drops file and execute
• rst -> executes file
• l32 -> executes file
• dct -> exits current process
• rbt -> shutdown /r /t 0 /f
• shd -> shutdown /s /t 0 /f
• lgf -> shutdown /l /f
• idn -> checks if system has .NET framework installed
• ins -> install
• uis -> uninstall
• int.g -> http send plugin parameter then sleep
• int.s -> sleep time
• fi* -> used for FilePlugin
• lb* -> used for LibraryPlugin
• do* -> used for DownloadPlugin
• sc* -> used for ScreenPlugin
• ou* -> used for OutlookPlugun
• px* -> used for ProxyPlugin
• cn* -> used for ShellPlugin

It connects to the following websites to send and receive information:

• http://protogoo.{BLOCKED}ing.com:9989

Information Theft

This Backdoor gathers the following data:

• OS Volume Serial
• UUID
• Computer Name
• User Name
• OS Caption
• OS Version
• Tag
• OS Screen Resoltuion