VBS_DUNIHI.SM2

This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This worm arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %User Temp%\{malware file name}.vbs

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following files:

• {drive letter}:\{folder / file name}.lnk

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware file name} = "wscript.exe //B "%User Temp%\{malware file name}.vbs""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware file name} = "wscript.exe //B "%User Temp%\{malware file name}.vbs""

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\{malware file name}.vbs

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\{malware file name}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\{malware file name}
(Default) = "{true or false (if executed from removable drive)} - {date of first execution}"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {drive letter}:\{malware file name}.vbs

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Execute files
• Update itself
• Uninstall itself
• Donwnload files
• Upload files
• Enumerate drivers
• Enumerate files and folders
• Enumerate processes
• Perform remote shell
• Delete files and folders
• Terminate process
• Sleep

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• http://{BLOCKED}.{BLOCKED}.186.27:288/is-ready
• http://{BLOCKED}no.no-ip.org:1806/is-ready
• http://{BLOCKED}ajjar.no-ip.biz:12345/is-ready
• http://herohero.{BLOCKED}p.org:96/is-ready
• http://s-mz.{BLOCKED}s.net:30516/is-ready

Information Theft

This worm gathers the following data:

• Computer name
• Host name
• OS Version
• Installed AV products
• Volume serial number

NOTES:

This worm creates .LNK (shortcut) files using folder or file names found in removable drives. It then hides the original folder/file tricking users to click .LNK files. This .LNK files point out to a dropped copy of itself in the removable drive.