Author Topic: Worm.VBS.Dunihi.W  (Read 25688 times)

0 Members and 1 Guest are viewing this topic.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Worm.VBS.Dunihi.W
« Reply #15 on: December 31, 2013, 03:27:01 PM »
I checked the direct script there.

This scan checks the archive. Weird that Trend Micro-Housecall detects the archive but not the VBS File itself.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #16 on: December 31, 2013, 03:35:37 PM »
Can someone confirm its infection capabilites for infecting files? And what is targeted
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Worm.VBS.Dunihi.W
« Reply #17 on: December 31, 2013, 03:37:28 PM »
Hi all,
 
Allow me to explain. All of these *.vbs or *.vbe files ( * = randomnamed ) script worms must use some loading point.
Most of them just establish himself in one of "Run" keys ( HKLM or HKCU ). All of them uses by legitimate wscript.exe process for loading (C:\Windows\system32\wscript.exe).
In this way it defends itself from been deleted.

Their job is to keep running in host system as long as possible while performing malicious act, waiting for new attached USB device that will serve as transfer to another hosts.
They are not file infector and they are not dangerous for the system itself, but are part of malware family, they have characteristics of a script worms.

There is one catch.
If this script worms is active on the host machine, MCShield can not fully disinfect the USB device. Why?
Well, while the MCS job is to remove any malware from USB, malware that is active on the host machine has a duty to re-infect USB any time. And thus resulting cleening loop.




Disinfection of these variants is the following:
* Delete malware from host sistem;
* Delete malware from USB devices;





Cleaning the host system;
- From task manager kill the wscript.exe process.
- When there is nothing to protect him, malware file is easy to delete (even manually by right click > delete).
- Delete related registry key

=> We from MyCity AMF Lab, have created new small tool which have a task to kill each. vbs or .vbe malware file from host system.

http://www.mcshield.net/download/tools/Anti-VBSVBE/
Anti-VBSVBE is small utility that should clean vbs and vbe script worms form your host system, from your computer.




Cleaning the USB devices;
When host system is clean (using Anti-VBSVBE or some other malware removal tool), there's nothing to spread malware on USB devices. MCShield has green light to clean malware without interference.

- Download and install MCShield and allow hit to remove all malware from USB devices.
http://www.mcshield.net/



Cheers,

 ;)


« Last Edit: December 31, 2013, 03:41:26 PM by magna86 »

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Worm.VBS.Dunihi.W
« Reply #18 on: December 31, 2013, 03:44:28 PM »
Here are three screenshots.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Re: Worm.VBS.Dunihi.W
« Reply #19 on: December 31, 2013, 05:22:50 PM »
So it only spreads through removable media? Am I right there.
he worm creates .lnk files to replace every folder and file in removable media. The attributes of the original folders and files are set to "System" and "Hidden" to hide them from the user. 

The worm opens a back door and connects to the following domains:
school-pc.sytes.net:455
no99.zapto.org:81  See for Cnc-infra structure the following article link and read on the RAT capibilties of this so-called Houdini-worm: http://www.fireeye.com/blog/technical/threat-intelligence/2013/09/now-you-see-me-h-worm-by-houdini.html

The worm may perform the following actions:
Accept and execute commands
Spread to USB or removable drives
Download and execute files
Update or uninstall itself
Log key strokes
Take screenshots
Terminate processes
Take screenshots
Upload a local file back to the attacker
Delete a local file

The worm may also steal the following information from the compromised computer:
Drive list
File list
Folder list
Process list
Computer name
User name
Operating system version
Disk serial number
Installed antivirus products

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Worm.VBS.Dunihi.W
« Reply #20 on: December 31, 2013, 05:26:53 PM »
Thats a bad list of things what this worm is doing. >:(
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Re: Worm.VBS.Dunihi.W
« Reply #21 on: December 31, 2013, 05:44:07 PM »
Hi Steven Winderlich,

In a sense this worm is infecting files and also in the registry with a random name to start up every time Windows starts.
In a sense it is nasty spyware and therefore detected by Emisoft's.

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #22 on: December 31, 2013, 06:04:33 PM »

The worm opens a back door and connects to the following domains:
school-pc.sytes.net:455
no99.zapto.org:81  See for Cnc-infra structure the following article link and read on the RAT capibilties of this so-called Houdini-worm: http://www.fireeye.com/blog/technical/threat-intelligence/2013/09/now-you-see-me-h-worm-by-houdini.html

pol

I know what RAT is. Scares the * out of me. Jeez. I've cleaned my Host Machine up. THanks Magna86 for those instructions.

Polonus, you said it opens a backdoor correct? Even if the file and the reg keys are gone, is it still there?
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Worm.VBS.Dunihi.W
« Reply #23 on: December 31, 2013, 07:36:50 PM »
@Polonus: Its not Emsisoft which is detecting this. Its Bitdefender.
Almost every AV in that list is using a engine from Bitdefender (Emsisoft, GDtata,F-Secure)
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Re: Worm.VBS.Dunihi.W
« Reply #24 on: January 01, 2014, 01:26:07 AM »
Hi Steven Winderlich,

Thanks for that precision. Bitdefender has a wide detection array and sometimes still flags when malcode has already been closed or is dead.
In this case Bitdefender's detection ha helped us to detect a blind spot with other av. My experience is that DrWeb and avast are also complementary. That is why I also check with Dr. Webs URL scanner. What avast! detects DrWeb may be missing, what avast! misses DrWeb may flag. For the reason you mentioned I still have Bitdefender's TrafficLight extension both in firefox and Google Chrome browser for the search engine results etc.. Comes with an Internet Tracker for web analytics and social network plug-ins blocking and flash off by default)  and ads blocking now.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Worm.VBS.Dunihi.W
« Reply #25 on: January 01, 2014, 02:26:07 PM »
The VBS-Script is now detected as VBS:Malware-Gen. ;D
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #26 on: January 01, 2014, 02:31:24 PM »
Malwarebytes still won't detect it. Has someone reported it to them?
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Worm.VBS.Dunihi.W
« Reply #27 on: January 01, 2014, 02:35:24 PM »
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
  • F-Secure user
Re: Worm.VBS.Dunihi.W
« Reply #28 on: January 01, 2014, 02:45:30 PM »
Malwarebytes still won't detect it. Has someone reported it to them?
It is now .... reported

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Worm.VBS.Dunihi.W
« Reply #29 on: January 01, 2014, 03:02:39 PM »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.