search
close

WORM_DUNIHI.AUSHN

March 25, 2018
 Analysis by: John Kevin Sanchez
 ALIASES:

VBS/BackDoor-FAA (McAfee)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It enables its automatic execution at every system startup by dropping copies of itself into the Windows Common Startup folder.

It drops copies of itself into all the removable drives connected to an affected system.

However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size:

81,114 bytes

File Type:

SWF

Memory Resident:

Yes

Initial Samples Received Date:

25 Mar 2018

Arrival Details

This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Worm drops the following copies of itself into the affected system:

  • %User Temp%\system.wSf

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Worm creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
system = wscript.exe //B "%User Temp%\system.wSf"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
system = wscript.exe //B "%User Temp%\system.wSf"

It enables its automatic execution at every system startup by dropping the following copies of itself into the Windows Common Startup folder:

  • %User Startup%\system.wSf

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Other System Modifications

This Worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\system

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\system
{Default} = {true or false} - {date}

Propagation

This Worm drops copies of itself into all the removable drives connected to an affected system.

It sets the attributes of the following items to Hidden to trick the user into clicking the .LNK files:

  • Folders in removable drives

It creates shortcut files (.LNK) disguised as folders or files located on the affected drives pointing to the malware copy.

Other Details

This Worm connects to the following possibly malicious URL:

  • http://ho{BLOCKED}n.d{BLOCKED}.net:9999/is-ready

However, as of this writing, the said sites are inaccessible.