JS_BONDAT.NL

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

• %User Startup%\Windows Explorer.lnk - shortcut to dropped copy of itself
• %ProgramData%\Windows Explorer.lnk - shortcut to dropped copy of itself

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.. %ProgramData% is the Program Data folder, where it usually is C:\Program Files in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %Application Data%\{random folder name}\{random file name}.js
• %User Profile%\{random folder name}\{random file name}.js
• {Removable drives}\.Trashes\{random number}\{random file name}.js

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

• %Application Data%\{random folder name}
• %User Profile%\{random folder name}
• {Removable drives}\.Trashes
• {Removable drives}\.Trashes\{random number}

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This worm drops the following shortcut pointing to its copy in the User Startup folder to enable its automatic execution at every system startup:

• Windows Explorer.lnk

Other System Modifications

This worm modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is {User preferences}.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is {User preferences}.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {Removable drives}\.Trashes\{random number}\{random file name}.js

Information Theft

This worm gathers the following data:

• User name
• Computer name
• List of running processes
• Operating system information

Stolen Information

This worm sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}.{BLOCKED}.3.136/
• http://{BLOCKED}c.myquickweb.net/
• http://www2.{BLOCKED}connect.com/
• http://{BLOCKED}.{BLOCKED}.192.195/

Other Details

This worm connects to the following URL(s) to check for an Internet connection:

• https://www.microsoft.com/
• https://www.google.com/
• https://www.bing.com/

NOTES:

It copies legitimate wscript.exe into the following:

• %Application Data%\{random folder name}\{string 1}{string 2}{32, 64, or blank}.exe
• %User Profile%\{random folder name}\{string 1}{string 2}{32, 64, or blank}.exe

where string 1 can be any of the following:

• win
• cmd
• disk
• dsk
• ms
• hp
• intel
• amd
• dll
• tcp
• udp

string 2 can be any of the following:

• process
• proc
• monitor
• mon
• sys
• host
• mgr
• update
• updater

It terminates itself when the following strings are found in the system through Windows Management Instrumentation (WMI) queries:

• QEMU
• Bochs
• innotek
• Xen
• Red Hat
• Virtual HDD
• VMware
• VBOX
• Citrix

It terminates processes with the following strings:

• regedit
• windows-kb
• mrt
• rstrui
• msconfig
• procexp
• avast
• avg
• mse
• ptinstall
• sdasetup
• issetup
• fs20
• mbam
• housecall
• hijackthis
• rubotted
• autoruns
• avenger
• filemon
• gmer
• hotfix
• klwk
• mbsa
• procmon
• regmon
• sysclean
• tcpview
• unlocker
• wireshark
• fiddler
• resmon
• perfmon
• msss
• cleaner
• otl
• roguekiller
• fss
• zoek
• emergencykit
• dds
• ccsetup
• vbsvbe
• combofix
• frst
• mcshield
• zphdiag

In the folders where it dropped shortcuts, this worm deletes files with the following extensions:

• .js
• .vbs
• .jse
• .vbe

It also moves files with the following extensions into {Removable drives}\.Trashes:

• exe
• doc
• docx
• pdf
• rtf
• txt
• mp3
• m4a
• ogg
• wav
• wma
• mp4
• avi
• webm
• flv
• mov
• wmv
• mpeg
• mpg
• gif
• jpg
• jpeg
• png

It also creates shortcuts with names as the moved files.