Worm.VBS.Dunihi.W

https://www.virustotal.com/en/file/b6c3ef3062891a72e4bf06f678c11281a5a910ed92af306c2c2784bf97df4a47/analysis/1388476467/
some reputed antvirus detect it as a virus (Worm.VBS.Dunihi.W) but avast not. please analyse it

Edit: link to sample removed.

Hi,

Please remove your link and send it via Priavte Message to the following people. Steven Winderlich; Polonus; and I

That is considered dangerous and it not allowed here.

Malwr: https://malwr.com/analysis/YmNmZWEyNjkyMjc0NDFhNDgxYzA0YWE5NWI4MDA0MGQ/

Polonus, can you scan and track those IP’s and Websites that it contacts?

Note: Given it’s USB, I have no other way to do this. I’ve launched the file. MCshield Picks it up as suspicious and renames it to fenfd…vir (making it unusable)

I will deal with the malware in a second here. Confirmed as malicious in nature.

Recommended: If you have this file launched. Close out ALL files disconnect any USB devices until further notice. Install MCShield and wait for instructions.

They shouldn’t be sent to anyone other than directly to avast, this is not a quasi malware distribution forum.

It’s just been reported. However, given that Steven and I test this, there should be exceptions.

To the OP: http://forum.avast.com/index.php?topic=53253.0

Follow that link to find MCShield

First on the IP it contacts out according to the Malwr analysis is in Algeria: from that same AS we see a ETPRO TROJAN Win32.Refroso.dmzq
launching from various domains there.
AS only known for spam activity lately, no blacklisted domains, so the malcode may be recent!
It is not flagged here, but that might be a scam on it’s own: http://www.scamadviser.com/is-ec.djaweb.dz-safe.html
Well then here is all the bad out there reported: http://support.clean-mx.de/clean-mx/portals.php?email=n.djouahra@djaweb.dz&response=
defacements galore - abused and misused server…

polonus

Thanks Polonus. Milos, can anything be done about those websites? They aren’t blocked for me…

Hi alan1998,

Something should be done, this VBS script virus is a deadly dangerous file infector, taking out to 0 to 50 files at a time.

pol

So its a VBS Worm and a file infector?

Thats a really bad virus. >:(

I REALLY hope you are kidding.

Its detected by MCShield for me here. Tested it out.

Maybe you can inform Magne86 hes online right now.
Maybe he can tell us something about this VBS thing.

Same. However, not on my Virtual Machine since it won’t find my USB stick

Magna has already asked for the links for MCShield Database. I’m soooo screwed right now.

Thats weird.

Also still 9/48 on Virustotal: https://www.virustotal.com/de/file/2768027b719e951808d5599e8fba028fabaacd972cb7f611e22371a778bb54d6/analysis/1388499600/

First submission 2 hours ago.

Heres an link to the Offline Database Updater: http://www.mcshield.net/download/MCShield-Database-Updater.exe
Direct download link.

As seen here:

I checked the direct script there.

This scan checks the archive. Weird that Trend Micro-Housecall detects the archive but not the VBS File itself.

Can someone confirm its infection capabilites for infecting files? And what is targeted

Hi all,

Allow me to explain. All of these *.vbs or *.vbe files ( * = randomnamed ) script worms must use some loading point.
Most of them just establish himself in one of “Run” keys ( HKLM or HKCU ). All of them uses by legitimate wscript.exe process for loading (C:\Windows\system32\wscript.exe).
In this way it defends itself from been deleted.

Their job is to keep running in host system as long as possible while performing malicious act, waiting for new attached USB device that will serve as transfer to another hosts.
They are not file infector and they are not dangerous for the system itself, but are part of malware family, they have characteristics of a script worms.

There is one catch.
If this script worms is active on the host machine, MCShield can not fully disinfect the USB device. Why?
Well, while the MCS job is to remove any malware from USB, malware that is active on the host machine has a duty to re-infect USB any time. And thus resulting cleening loop.

Disinfection of these variants is the following:
[i]* Delete malware from host sistem;

  • Delete malware from USB devices;[/i]

Cleaning the host system;

  • From task manager kill the wscript.exe process.
  • When there is nothing to protect him, malware file is easy to delete (even manually by right click > delete).
  • Delete related registry key

=> We from MyCity AMF Lab, have created new small tool which have a task to kill each. vbs or .vbe malware file from host system.

http://www.mcshield.net/download/tools/Anti-VBSVBE/
Anti-VBSVBE is small utility that should clean vbs and vbe script worms form your host system, from your computer.

Cleaning the USB devices;
When host system is clean (using Anti-VBSVBE or some other malware removal tool), there’s nothing to spread malware on USB devices. MCShield has green light to clean malware without interference.

Cheers,

:wink:

Here are three screenshots.

So it only spreads through removable media? Am I right there.
he worm creates .lnk files to replace every folder and file in removable media. The attributes of the original folders and files are set to “System” and “Hidden” to hide them from the user.

The worm opens a back door and connects to the following domains:
school-pc.sytes.net:455
no99.zapto.org:81 See for Cnc-infra structure the following article link and read on the RAT capibilties of this so-called Houdini-worm: http://www.fireeye.com/blog/technical/threat-intelligence/2013/09/now-you-see-me-h-worm-by-houdini.html

The worm may perform the following actions:
Accept and execute commands
Spread to USB or removable drives
Download and execute files
Update or uninstall itself
Log key strokes
Take screenshots
Terminate processes
Take screenshots
Upload a local file back to the attacker
Delete a local file

The worm may also steal the following information from the compromised computer:
Drive list
File list
Folder list
Process list
Computer name
User name
Operating system version
Disk serial number
Installed antivirus products

pol