Analysis by: Rika Joi Gregorio
ALIASES:

Worm:VBS/Jenxcus.BC(Microsoft), VBS.Dunihi(Symantec), VBS/Autorun.worm.aaph(McAfee), VBS/Agent.NDH worm(Eset)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 39,755 bytes
File Type: VBS
Memory Resident: Yes
Initial Samples Received Date: 08 Oct 2013

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %User Temp%\{malware file name and extenstion}

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following files:

  • {Drive letter}:\{folder name}.lnk - if folder exists in removable drive

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{malware file name} = "wscript.exe //B "%User Temp%\{malware file name and extenstion}""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{malware file name} = "wscript.exe //B "%User Temp%\{malware file name and extenstion}""

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\{malware file name}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Scripts

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\{malware file name}
(Default) = "{true or false} - {date of execution}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Scripts
{random} = "{hex values}"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {Drive letter}:\{malware file name and extension}

Other Details

This worm connects to the following possibly malicious URL:

  • http://basss.{BLOCKED}p.info:2023/is-ready

NOTES:

This worm creates .LNK (shortcut) files using folder names found in removable drives. It then hides the original folder tricking users to click .LNK files. This .LNK files point out to a dropped copy of itself in the removable drive.