VBS/Dinihou-A

Category: Viruses and Spyware Protection available since:21 Oct 2013 01:25:48 (GMT)
Type: Trojan Last Updated:23 Apr 2016 03:04:31 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of VBS/Dinihou-A include:

Example 1

File Information

Size
728K
SHA-1
24d7014cfa00edd7d659ae8084a6fd63fa63cb0e
MD5
590945d108937ea5430b5ff9ebf55ff7
CRC-32
2ea6d562
File type
Windows executable
First seen
2007-10-31

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\microsoft.vbs
  • c:\Documents and Settings\test user\Local Settings\Temp\skyper.vbs
    Size
    1.1K
    SHA-1
    40334930d7fb4548775d3490576b576d060cf15f
    MD5
    6f624fba1123ff934353a290121ec979
    CRC-32
    a9bdc524
    File type
    Visual Basic Script
    First seen
    2015-08-24
  • c:\Documents and Settings\test user\microsoft.vbs
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\microsoft.vbs
  • F:/microsoft.vbs
  • C:\WINDOWS\system32\athphw.exe
Modified Files
  • C:\AUTOEXEC.BAT
    • Changed the file contents
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    microsoft
    wscript.exe //B "c:\Documents and Settings\test user\microsoft.vbs"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    GlobalUserOffline
    0x00000000
  • HKLM\SOFTWARE\Microsoft
    (Default)
    false - 8/24/2015
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    microsoft
    wscript.exe //B "c:\Documents and Settings\test user\microsoft.vbs"
Registry Keys Modified
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NofolderOptions
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr
    0x00000001
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    Explorer.exe athphw.exe silent
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    ShowSuperHidden
    0x00000000
Processes Created
  • c:\windows\system32\athphw.exe
  • c:\windows\system32\wscript.exe
DNS Requests
  • dl.dropboxusercontent.com
  • korom.zapto.org

Example 2

File Information

Size
1.2M
SHA-1
2eb9d9d8215caefa38c5889692f175dd711a0170
MD5
4386a191d56a87a895bf4b04f658a99c
CRC-32
385b275e
File type
Windows executable
First seen
2013-10-04

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\TeamViewer 8.0.22298 Enterprise Multilingual Patch.exe
  • F:/3.vbs
    Size
    70K
    SHA-1
    3d44be96cf2f4cdffbb4e96056dddced0f1ce7e4
    MD5
    38b01f362e41b2e2b5e4da7ce63d3f86
    CRC-32
    d00fe8eb
    File type
    Visual Basic Script
    First seen
    2013-10-04
  • c:\Documents and Settings\test user\Local Settings\Temp\3.vbs
    Size
    70K
    SHA-1
    3d44be96cf2f4cdffbb4e96056dddced0f1ce7e4
    MD5
    38b01f362e41b2e2b5e4da7ce63d3f86
    CRC-32
    d00fe8eb
    File type
    Visual Basic Script
    First seen
    2013-10-04
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\3.vbs
    Size
    70K
    SHA-1
    3d44be96cf2f4cdffbb4e96056dddced0f1ce7e4
    MD5
    38b01f362e41b2e2b5e4da7ce63d3f86
    CRC-32
    d00fe8eb
    File type
    Visual Basic Script
    First seen
    2013-10-04
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    3
    wscript.exe //B "C:\DOCUME~1\support\LOCALS~1\Temp\3.vbs"
  • HKLM\SOFTWARE\3
    (Default)
    false - 10/4/2013
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    3
    wscript.exe //B "C:\DOCUME~1\support\LOCALS~1\Temp\3.vbs"
Processes Created
  • c:\docume~1\support\locals~1\temp\_ir_vp2_temp_0\vpatch.exe
  • c:\docume~1\support\locals~1\temp\teamviewer 8.0.22298 enterprise multilingual patch.exe
  • c:\windows\system32\wscript.exe
DNS Requests
  • o44b.zapto.org

Example 3

File Information

Size
4.7M
SHA-1
492688e736b8af64c436c4d420b08108c63017e5
MD5
84cbfb31d40788158b1928c497990198
CRC-32
f68e0d54
File type
Windows executable
First seen
2013-11-20

Runtime Analysis

Dropped Files
  • c:\Documents and Settings\test user\Local Settings\Temp\Application.vbs
  • c:\Documents and Settings\test user\Local Settings\Temp\AcrFF5.tmp
  • c:\Documents and Settings\test user\Local Settings\Temp\Photoshop.pdf
  • c:\Documents and Settings\test user\Start Menu\Programs\Startup\Application.vbs
Processes Created
  • c:\program files\adobe\reader 8.0\reader\acrord32.exe
  • c:\windows\system32\wscript.exe

download Try Sophos products for free
Download now