VBS_DUNIHI.CJ

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies the Internet Explorer Zone Settings.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system and executes them:

• %TEMP%\Servieca.vbs

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Servieca.vbs = "%TEMP%\Servieca.vbs"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Servieca.vbs = "%TEMP%\Servieca.vbs"

It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

• %User Profile%\Start Menu\Programs\Startup\Servieca.vbs

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_USERS \{SID}
njq8 = "n"

Web Browser Home Page and Search Page Modification

This Trojan modifies the Internet Explorer Zone Settings.

Other Details

This Trojan connects to the following possibly malicious URL:

• http://facebookjordan.{BLOCKED}o.org:99/ready

NOTES:

This malware drops shortcut files pointing to the copy of itself in removable drives. The dropped .LNK files use the names of the folders, subfolders and files located on the said drives for their file names. It then sets the attributes of the original folders to System and Hidden to trick the user into clicking the .LNK files.