Analysis by: Christopher Daniel So
ALIASES:

TrojanDownloader:VBS/Wimmie.A (Microsoft), Backdoor.Trojan (Symantec), Trojan.VBS.Small.bq (Kaspersky)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware

Upon execution, VBS_WIMMIE.SMC writes a malicious Windows Management Instrumentation (WMI) JScript that connects to a remote site to possibly download other malicious file(s) and execute arbitrary commands. Creating a WMI script effectively hides the malicious script from the user. VBS_WIMMIE.SMC then deletes itself and its dropper once its execution is completed.

This Trojan may be dropped by other malware.

It does not have any propagation routine.

It does not drop any other file.

It does not have any downloading capability.

It does not have any information-stealing capability.

  TECHNICAL DETAILS

File Size: Varies
File Type: VBS
Initial Samples Received Date: 16 Jan 2012

Arrival Details

This Trojan may be dropped by the following malware:

  • TROJ_WIMMIE.C

Propagation

This Trojan does not have any propagation routine.

Dropping Routine

This Trojan does not drop any other file.

Download Routine

This Trojan does not have any downloading capability.

Information Theft

This Trojan does not have any information-stealing capability.

NOTES:

Upon execution, VBS_WIMMIE.SMC writes a malicious Windows Management Instrumentation (WMI) JScript that connects to a remote site to possibly download other malicious file(s) and execute arbitrary commands. Creating a WMI script effectively hides the malicious script from the user. VBS_WIMMIE.SMC then deletes itself and its dropper once its execution is completed.

It saves the malicious __EventConsumer as the following:

  • Microsoft WMI Comsumer Security Event_consumer

It creates the following __EventFilter, which is necessary for the created __EventConsumer to be registered as a permament event consumer. It also acts as an autostart mechanism for the malicious script:

  • Microsoft WMI Comsumer Security Event_filter

An __IntervalTimerInstruction with the following name is also created to run the event every 30 seconds:

  • Microsoft WMI Comsumer Security Event_WMITimer

An __FiltertoConsumerBinding class is then executed to relate the above-mentioned __EventConsumer to the __EventFilter.

The malicious script connects to the following URL to notify a remote user of an infection:

  • http://{BLOCKED}whales.shop.co/count/count.php?m=c&n={computer name}{MAC Address}_{malware-specified parameter}@

It then receives one of the following commands from the remote user:

  • Download a file
  • Upload a file to a server
  • Get the infected PC's visible IP address
  • Execute arbitrary commands through cmd.exe

However, as of this writing, the said site is inacessible.

For information regarding WMI, please refer to Microsoft MSDN page.

It does not have rootkit capabilities.

It does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 8.852.05
FIRST VSAPI PATTERN DATE: 20 Mar 2012
VSAPI OPR PATTERN File: 8.853.00
VSAPI OPR PATTERN Date: 21 Mar 2012

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove the malware/grayware file that dropped/downloaded VBS_WIMMIE.SMC

Step 3

Scan your computer with your Trend Micro product to delete files detected as VBS_WIMMIE.SMC. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Deleting Malicious Script

To delete the malicious script created by this malware using WMI Command-line Tool:

  1. Open a WMI command-line. To do this, click Start > Run, type WMIC in the text box provided, then press Enter.

    Type the following on the command-line tool and delete the malicious event consumer:
    a. /namespace:\\root\subscription PATH __EventConsumer delete

  2. Press Y and Enter when prompted to delete the following, press N and enter if other values are seen:

    \\{computer name}\\ROOT\subscription:ActiveScriptEventConsumer.Name="Microsoft WMI Comsumer Security Event_consumer"

    Type the following on the command-line tool and delete the event filter:
    a. /namespace:\\root\subscription PATH __EventFilter delete

  3. Press Y and Enter when prompted to delete the following, press N and enter if other values are seen:

    \\{computer name}\\ROOT\subscription:__EventFilter.Name="Microsoft WMI Comsumer Security Event_filter"

    Type the following on the command-line tool and delete the event timer instruction:
    a. /namespace:\\root\subscription PATH __TimerInstruction delete

  4. Press Y and Enter when prompted to delete the following, press N and enter if other values are seen:

    \\{computer name}\\ROOT\subscription:__TimerInstruction.TimerId="Microsoft WMI Comsumer Security Event_WMITimer"

    Type the following on the command-line tool and delete the FiltertoConsumerBinding:
    a. /namespace:\\root\subscription PATH __FilterToConsumerBinding delete

  5. Press Y and Enter when prompted to delete the following, press N and enter if other values are seen:

    \\{computer name}\\ROOT\subscription:__FilterToConsumerBinding.Consumer="\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name="Microsoft WMI Comsumer Security Event_consumer\"",Filter="\\\\.\\root\\subscription:__EventFilter.Name="Microsoft WMI Comsumer Security Event_filter\""

  6. Type quit or exit to close the command-line tool.


Did this description help? Tell us how we did.