Worm:VBS/Dunihi.A

Posted: June 18, 2013

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	5/10
Infected PCs:	576

First Seen:	June 18, 2013
Last Seen:	April 27, 2022
OS(es) Affected:	Windows

Worm:VBS/Dunihi.A, also referred to as VBS_DUNIH, may be a newer, upgraded version of Worm:VBS/Jenxcus.A, which is a Visual Basic-based worm that allows backdoor access to your PC. Through such an access point, criminals may steal personal information, use your PC to commit other crimes or install other threats, as just some examples of the consequences. Dealing with Worm:VBS/Dunihi.A also must take into account its ability to compromise removable USB devices, which may then be used as carriers of the worm to other PCs. Both private and business targets are expected to be in danger from Worm:VBS/Dunihi.A's campaign, which has experienced a recent rise in numbers, and anti-malware protection strongly is encouraged for finding and deleting Worm:VBS/Dunihi.A, including its 'spare' copies.

Worm:VBS/Dunihi.A: the Latest Technology in Handing Your Computer Over to Criminals

Worm:VBS/Dunihi.A, sharing many code similarities with Worm:VBS/Jenxcus.A, as well as a predisposition for targeting Latin American nations, may not seem like threats that offer anything new, at first. However, a close look at Worm:VBS/Dunihi.A's functions reveal that Worm:VBS/Dunihi.A includes additional command functionality that more than quadruples its ability to receive and process instructions from a criminal's C&C server compared to Worm:VBS/Jenxcus.A. First found in targeted attacks against specific government and company institutions, Worm:VBS/Dunihi.A now is seen in the wild, being used against any accessible target who browses the Web on an unprotected Windows PC.

The caveat of a Windows PC is a direct result of Worm:VBS/Dunihi.A's use of Visual Basic for code, which doesn't have compatibility with other operating systems, by default. For Windows users, Worm:VBS/Dunihi.A includes all of the common functions of a backdoor-based worm as noted by malware researchers, such as:

Giving criminals backdoor access to your computer, thus enabling future attacks through the instructions issued to Worm:VBS/Dunihi.A.
Updating itself to enhance its functionality.
Downloading and launching other files, which may include installing threats.
Running arbitrary Windows commands.
Transferring system information about a compromised PC back to an attacker.
Removing itself from your computer (but not necessarily any other threats.
Compromising any removable devices by creating unsafe LNK files that imitate the file names of normal files on the device (which are modified to be non-visible). Launching any of these LNK files will run Worm:VBS/Dunihi.A, which may infect another PC that shares the device.

Making a Dummy out of Dunihi

Worm:VBS/Dunihi.A may be the latest in threat technology, but Worm:VBS/Dunihi.A still should be susceptible to traditional anti-malware solutions. If you have suspicions of Worm:VBS/Dunihi.A being on your computer, avoid sharing removable devices, reboot into Safe Mode and scan all hard drives and removable drives immediately. Any significant delay in removing Worm:VBS/Dunihi.A does allow Worm:VBS/Dunihi.A to install other threats or make additional attacks against your computer, and a rapid response is advised by malware experts.

Infection vectors for Worm:VBS/Dunihi.A worms are much the same as for other worms that have been targeting the same region: spam e-mail messages. These fraudulent e-mails include file attachments disguised to look like harmless content, with their file types mislabeled and their contents protected by archive compression. Deleting these files on sight should protect your computer from Worm:VBS/Dunihi.A compromises, assuming that you also pay attention to what kind of devices you plug into your computer.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%TEMP%\Diapositivas Andrea.vbs

File name: Diapositivas Andrea.vbs
Size: 60.78 KB (60788 bytes)
MD5: fa0b8a6958ccefdb5cea2f25eab02140
Detection count: 504
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: April 27, 2022

%APPDATA%\crypted.vbs

File name: crypted.vbs
Size: 45.26 KB (45265 bytes)
MD5: 614b72f25b053543170139d85d57c994
Detection count: 75
Mime Type: unknown/vbs
Path: %APPDATA%
Group: Malware file
Last Updated: February 12, 2014

%TEMP%\pjehqgpbwy.vbs

File name: pjehqgpbwy.vbs
Size: 73.2 KB (73201 bytes)
MD5: 3e75c10474fcd1861b4ee8cb3e6826c0
Detection count: 16
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: January 28, 2022

%TEMP%\stoagtrokh..vbs

File name: stoagtrokh..vbs
Size: 115.19 KB (115192 bytes)
MD5: e89fe253cc1aae04ec15e581380eb31d
Detection count: 9
Mime Type: unknown/vbs
Path: %TEMP%
Group: Malware file
Last Updated: November 11, 2018

%APPDATA%\zxtpfcazlb.vbs

File name: %APPDATA%\zxtpfcazlb.vbs
Mime Type: unknown/vbs
Group: Malware file

%TEMP%\bhabnxsgne.vbs

File name: %TEMP%\bhabnxsgne.vbs
Mime Type: unknown/vbs
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\Microsoft\Windows\Start Menu\Startup\Dell.vbsHKEY..\..\{Value}HKEY_LOCAL_MACHINEM\Software\Microsoft\windows\Currentversion\Run "[MalwareFilename]" = "bhabnxsgne" HKEY_LOCAL_MACHINE\Software\Microsoft\windows\Currentversion\Run "[MalwareFilename]" = "wscript.exe //B "[folder]\[MalwareFilename].vbs""