VBS/Dinihou-A

Category: Viruses and Spyware Protection available since:21 Oct 2013 04:42:50 (GMT)
Type: Visual Basic Script worm Last Updated:19 Mar 2014 04:47:23 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

VBS/Dinihou-A is a worm that spreads through network drives and removable media. 

VBS/Dinihou-A hides documents in the directory listing and replaces them with .lnk files that will run the worm before opening the hidden document.

VBS/Dinihou-A exhibits backdoor functionality.

Examples of VBS/Dinihou-A include:

Example 1

File Information

Size
3.4M
SHA-1
2e92de3918e9c1fd0752cbae8214bbb4d0c2a540
MD5
d1af73f5715184189833f22bf5b10cc0
CRC-32
d6b487e1
File type
Windows executable
First seen
2007-08-26

Runtime Analysis

Dropped Files
  • C:\Program Files\1.pdf
  • C:\Program Files\733.vbs
    Size
    184K
    SHA-1
    b99deb545c07981dceb988ee7227d0dcdccdb571
    MD5
    b9350869447e2e210caad8e4fbaacbe8
    CRC-32
    cb9c550e
    File type
    Visual Basic Script
    First seen
    2013-12-17
Registry Keys Created
  • HKCU\Software\WinRAR SFX
    C%%Program Files
    C:\Program Files
Processes Created
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe

Example 2

File Information

Size
1.2M
SHA-1
2eb9d9d8215caefa38c5889692f175dd711a0170
MD5
4386a191d56a87a895bf4b04f658a99c
CRC-32
385b275e
File type
Windows executable
First seen
2013-10-04

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\3.vbs
    Size
    70K
    SHA-1
    3d44be96cf2f4cdffbb4e96056dddced0f1ce7e4
    MD5
    38b01f362e41b2e2b5e4da7ce63d3f86
    CRC-32
    d00fe8eb
    File type
    Visual Basic Script
    First seen
    2013-10-04
  • F:/3.vbs
    Size
    70K
    SHA-1
    3d44be96cf2f4cdffbb4e96056dddced0f1ce7e4
    MD5
    38b01f362e41b2e2b5e4da7ce63d3f86
    CRC-32
    d00fe8eb
    File type
    Visual Basic Script
    First seen
    2013-10-04
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\3.vbs
    Size
    70K
    SHA-1
    3d44be96cf2f4cdffbb4e96056dddced0f1ce7e4
    MD5
    38b01f362e41b2e2b5e4da7ce63d3f86
    CRC-32
    d00fe8eb
    File type
    Visual Basic Script
    First seen
    2013-10-04
  • c:\Documents and Settings\test user\Local Settings\Temp\TeamViewer 8.0.22298 Enterprise Multilingual Patch.exe
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    3
    wscript.exe //B "C:\DOCUME~1\support\LOCALS~1\Temp\3.vbs"
  • HKLM\SOFTWARE\3
    (Default)
    false - 10/4/2013
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    3
    wscript.exe //B "C:\DOCUME~1\support\LOCALS~1\Temp\3.vbs"
Processes Created
  • c:\docume~1\support\locals~1\temp\_ir_vp2_temp_0\vpatch.exe
  • c:\docume~1\support\locals~1\temp\teamviewer 8.0.22298 enterprise multilingual patch.exe
  • c:\windows\system32\wscript.exe
DNS Requests
  • o44b.zapto.org

Example 3

File Information

Size
4.7M
SHA-1
492688e736b8af64c436c4d420b08108c63017e5
MD5
84cbfb31d40788158b1928c497990198
CRC-32
f68e0d54
File type
Windows executable
First seen
2013-11-20

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\Photoshop.pdf
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\Application.vbs
  • c:\Documents and Settings\test user\Local Settings\Temp\Application.vbs
  • c:\Documents and Settings\test user\Local Settings\Temp\AcrFF5.tmp
Processes Created
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe
  • c:\windows\system32\wscript.exe

download Try Sophos products for free
Download now