VBS_DUNIHI.CJ
Troj/VBS-BS (Sophos)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It modifies the Internet Explorer Zone Settings.
TECHNICAL DETAILS
15,977 bytes
VBS
28 Oct 2013
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %TEMP%\Servieca.vbs
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Servieca.vbs = "%TEMP%\Servieca.vbs"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Servieca.vbs = "%TEMP%\Servieca.vbs"
It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:
- %User Profile%\Start Menu\Programs\Startup\Servieca.vbs
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_USERS \{SID}
njq8 = "n"
Web Browser Home Page and Search Page Modification
This Trojan modifies the Internet Explorer Zone Settings.
Other Details
This Trojan connects to the following possibly malicious URL:
- http://facebookjordan.{BLOCKED}o.org:99/ready
NOTES:
This malware drops shortcut files pointing to the copy of itself in removable drives. The dropped .LNK files use the names of the folders, subfolders and files located on the said drives for their file names. It then sets the attributes of the original folders to System and Hidden to trick the user into clicking the .LNK files.