Author Topic: Worm.VBS.Dunihi.W  (Read 25687 times)

0 Members and 1 Guest are viewing this topic.

tkt

  • Guest
Worm.VBS.Dunihi.W
« on: December 31, 2013, 09:09:25 AM »
https://www.virustotal.com/en/file/b6c3ef3062891a72e4bf06f678c11281a5a910ed92af306c2c2784bf97df4a47/analysis/1388476467/
some reputed antvirus detect  it as a virus (Worm.VBS.Dunihi.W) but avast not. please analyse it

Edit: link to sample removed.
« Last Edit: December 31, 2013, 01:28:19 PM by Milos »

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #1 on: December 31, 2013, 11:39:15 AM »
Hi,

Please remove your link and send it via Priavte Message to the following people. Steven Winderlich; Polonus; and I

That is considered dangerous and it not allowed here.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #2 on: December 31, 2013, 11:46:18 AM »
Malwr: https://malwr.com/analysis/YmNmZWEyNjkyMjc0NDFhNDgxYzA0YWE5NWI4MDA0MGQ/

Polonus, can you scan and track those IP's and Websites that it contacts?

Note: Given it's USB, I have no other way to do this. I've launched the file. MCshield Picks it up as suspicious and renames it to  fenfd..vir (making it unusable)

I will deal with the malware in a second here. Confirmed as malicious in nature.

Recommended: If you have this file launched. Close out ALL files disconnect any USB devices until further notice. Install MCShield and wait for instructions.
« Last Edit: December 31, 2013, 11:58:45 AM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89640
  • No support PMs thanks
Re: Worm.VBS.Dunihi.W
« Reply #3 on: December 31, 2013, 01:34:06 PM »
Hi,

Please remove your link and send it via Priavte Message to the following people. Steven Winderlich; Polonus; and I

That is considered dangerous and it not allowed here.

They shouldn't be sent to anyone other than directly to avast, this is not a quasi malware distribution forum.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.870) UI 1.0.818/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #4 on: December 31, 2013, 01:36:06 PM »
It's just been reported. However, given that Steven and I test this, there should be exceptions.

To the OP: http://forum.avast.com/index.php?topic=53253.0

Follow that link to find MCShield

VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Re: Worm.VBS.Dunihi.W
« Reply #5 on: December 31, 2013, 01:52:00 PM »
First on the IP it contacts out according to the Malwr analysis is in Algeria: from that same AS we see a ETPRO TROJAN Win32.Refroso.dmzq
launching from various domains there.
AS only known for spam activity lately, no blacklisted domains, so the malcode may be recent!
It is not flagged here, but that might be a scam on it's own: http://www.scamadviser.com/is-ec.djaweb.dz-safe.html
Well then here is all the bad out there reported: http://support.clean-mx.de/clean-mx/portals.php?email=n.djouahra@djaweb.dz&response=
defacements galore - abused and misused server...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #6 on: December 31, 2013, 02:03:39 PM »
Thanks Polonus. Milos, can anything be done about those websites? They aren't blocked for me....
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Re: Worm.VBS.Dunihi.W
« Reply #7 on: December 31, 2013, 02:39:39 PM »
Hi alan1998,

Something should be done, this VBS script virus is a deadly dangerous file infector, taking out to 0 to 50 files at a time.

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Worm.VBS.Dunihi.W
« Reply #8 on: December 31, 2013, 02:52:21 PM »
So its a VBS Worm and a file infector?

Thats a really bad virus. >:(
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #9 on: December 31, 2013, 03:14:24 PM »
Hi alan1998,

Something should be done, this VBS script virus is a deadly dangerous file infector, taking out to 0 to 50 files at a time.

pol

I REALLY hope you are kidding.
« Last Edit: December 31, 2013, 03:17:26 PM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Worm.VBS.Dunihi.W
« Reply #10 on: December 31, 2013, 03:17:21 PM »
Its detected by MCShield for me here. Tested it out.

Maybe you can inform Magne86 hes online right now.
Maybe he can tell us something about this VBS thing.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #11 on: December 31, 2013, 03:18:18 PM »
Its detected by MCShield for me here. Tested it out.

Same. However, not on my Virtual Machine since it won't find my USB stick
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #12 on: December 31, 2013, 03:21:32 PM »
Its detected by MCShield for me here. Tested it out.

Maybe you can inform Magne86 hes online right now.
Maybe he can tell us something about this VBS thing.

Magna has already asked for the links for MCShield Database. I'm soooo screwed right now.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Worm.VBS.Dunihi.W
« Reply #13 on: December 31, 2013, 03:22:31 PM »
Thats weird.

Also still 9/48 on Virustotal: https://www.virustotal.com/de/file/2768027b719e951808d5599e8fba028fabaacd972cb7f611e22371a778bb54d6/analysis/1388499600/

First submission 2 hours ago.

Heres an link to the Offline Database Updater: http://www.mcshield.net/download/MCShield-Database-Updater.exe
Direct download link.
« Last Edit: December 31, 2013, 03:24:14 PM by Steven Winderlich »
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #14 on: December 31, 2013, 03:25:08 PM »
Thats weird.

Also still 9/48 on Virustotal: https://www.virustotal.com/de/file/2768027b719e951808d5599e8fba028fabaacd972cb7f611e22371a778bb54d6/analysis/1388499600/

First submission 2 hours ago.

Heres an link to the Offline Database Updater: http://www.mcshield.net/download/MCShield-Database-Updater.exe
Direct download link.

As seen here:

https://www.virustotal.com/en/file/b6c3ef3062891a72e4bf06f678c11281a5a910ed92af306c2c2784bf97df4a47/analysis/1388476467/
some reputed antvirus detect  it as a virus (Worm.VBS.Dunihi.W) but avast not. please analyse it

Edit: link to sample removed.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.