JS_TROJWMI.A
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Dropped by other malware
Upon execution, this malware writes a malicious Windows Management Instrumentation (WMI) JScript that connects to a remote site to possibly download other malicious file(s) and execute arbitrary commands. Creating a WMI script effectively hides the malicious script from the user. It then deletes itself and its dropper once its execution is completed.
This Trojan may be dropped by other malware.
TECHNICAL DETAILS
5,492 bytes
JS
Yes
06 Apr 2010
Connects to URLs/IPs
Arrival Details
This Trojan may be dropped by the following malware:
- TROJ_DAPATO.DH
NOTES:
This Trojan saves the malicious __consumer as Microsoft WMI Consumer Security Event_consumer. It creates the following __EventFilter, which is necessary for the created __consumer to be registered as a permament event consumer. It also acts as an autostart mechanism for the malicious script Microsoft WMI Consumer Security Event_filter.
An __IntervalTimerInstruction with the name Microsoft WMI Consumer Security Event_WMITimer is also created to run the event every 60 seconds. An __FiltertoConsumerBinding class is then executed to relate the aforementioned __consumer to the __EventFilter.
This malicious script connects to the following URL to notify a remote user of an infection:
- http://{BLOCKED}.172/macas/all.php?cstype=server&
authname=servername&authpass=serverpass&hostname={computer name}&
ostype={OS version}&macaddr={MAC address}&owner={ID}&version={random}
SOLUTION
9.200
6.972.11
06 Apr 2010
6.973.00
06 Apr 2010
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 3
Scan your computer with your Trend Micro product to delete files detected as JS_TROJWMI.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
Deleting Malicious Script
To delete the malicious script created by this malware using WMI Command-line Tool:
- Open a WMI command-line. To do this, click Start>Run, type WMIC in the text box provided, then press Enter.
- Type the following on the command-line tool and delete the malicious event consumer:
- /namespace:\\root\subscription PATH __consumer delete
- Press Y and Enter when prompted to delete the following, press N and enter if other values are seen: \\{computer name}\\ROOT\subscription:ActiveScriptEventConsumer.Name="Microsoft WMI Consumer Security Event_consumer"
- Type the following on the command-line tool and delete the event filter:
- /namespace:\\root\subscription PATH __EventFilter delete
- Press Y and Enter when prompted to delete the following, press N and enter if other values are seen: \\{computer name}\\ROOT\subscription:__EventFilter.Name="Microsoft WMI Consumer Security Event_filter"
- Type the following on the command-line tool and delete the event timer instruction:
/namespace:\\root\subscription PATH __timerevent delete - Press Y and Enter when prompted to delete the following, press N and enter if other values are seen: \\{computer name}\\ROOT\subscription:__TimerInstruction.TimerId="Microsoft WMI Consumer Security Event_WMITimer"
- Type the following on the command-line tool and delete the FiltertoConsumerBinding:
- /namespace:\\root\subscription PATH __FilterToConsumerBinding delete
- Press Y and Enter when prompted to delete the following, press N and enter if other values are seen: \\{computer name}\\ROOT\subscription:__FilterToConsumerBinding.Consumer="\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name="Microsoft WMI Consumer Security Event_consumer\"",Filter="\\\\.\\root\\subscription:__EventFilter.Name="Microsoft WMI Comsumer Security Event_filter\""
- Type quit or exit to close the command-line tool.
Did this description help? Tell us how we did.