JS/Bondat [Threat Name] go to Threat

JS/Bondat.A [Threat Variant Name]

Category worm
Size 27023 B
Detection created Oct 13, 2014
Signature database version 10556
Aliases Worm:JS/Bondat.A (Microsoft)
  VBS/Worm.AA.virus (AVG)
Short description

JS/Bondat.A is a worm that spreads via removable media.

Installation

When executed, the worm creates the following files:

  • %userprofile%\­%variable1%\­%variable2%.js
  • %userprofile%\­AppData\­Roaming\­%variable1%\­%variable2%.js

A string with variable content is used instead of %variable1-2% .


The %userprofile%\%variable1%\, %userprofile%\AppData\Roaming\%variable1%\ folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The worm creates copies of the following files (source, destination):

  • %systemroot%\­system32\­wscript.exe, %userprofile%\­%variable1%\­%variable3%
  • %systemroot%\­system32\­wscript.exe, %userprofile%\­AppData\­Roaming\­%variable1%\­%variable3%

The %variable3% consists of some of the following strings:

  • win
  • cmd
  • disk
  • dsk
  • ms
  • hp
  • intel
  • amd
  • dll
  • tcp
  • udp
  • process
  • proc
  • monitor
  • mon
  • sys
  • host
  • mgr
  • update
  • updater
  • 64
  • 32

The worm creates the following files:

  • %userprofile%\­Start Menu\­Programs\­Startup\­Windows Explorer.lnk
  • %userprofile%\­AppData\­Roaming\­Microsoft\­Windows\­Start Menu\­Programs\­Startup\­Windows Explorer.lnk

The file is a shortcut to a malicious file.


This causes the worm to be executed on every system start.

Spreading on removable media

The worm may create copies of itself on removable drives.


The worm copies itself to the following location:

  • %removabledrive%\­.Trashes\­%variable4%\­%variable5%.js

A variable numerical value is used instead of %variable4% . A string with variable content is used instead of %variable5% .


The worm searches for files and folders in the root folders of removable drives.


When the worm finds a file matching the search criteria, it creates a new file.


The name of the file may be based on the name of an existing file or folder. The extension of the file is ".lnk" .


The file is a shortcut to a malicious file.


Found files are moved to the following location:

  • %removabledrive%\­.Trashes\­

The %removabledrive%\.Trashes\ folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.

Information stealing

The worm collects the following information:

  • computer name
  • user name
  • operating system version
  • language settings

The worm attempts to send gathered information to a remote machine.


The worm contains a URL address. The HTTP protocol is used in the communication.

Other information

The worm terminates its execution if it detects that it's running in a specific virtual environment.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0

The worm may create the following files:

  • %userprofile%\­%variable1%\­%variable6%
  • %userprofile%\­AppData\­Roaming\­%variable1%\­%variable6%
  • %userprofile%\­%variable1%\­%variable7%
  • %userprofile%\­AppData\­Roaming\­%variable1%\­%variable7%
  • %userprofile%\­%variable1%\­%variable8%
  • %userprofile%\­AppData\­Roaming\­%variable1%\­%variable8%
  • %userprofile%\­%variable1%\­%variable9%
  • %userprofile%\­AppData\­Roaming\­%variable1%\­%variable9%

A string with variable content is used instead of %variable6-9% .


The worm may delete the following files:

  • %userprofile%\­%variable1%\­*.exe
  • %userprofile%\­AppData\­Roaming\­%variable1%\­*.exe
  • %userprofile%\­Start Menu\­Programs\­Startup\­*.js
  • %userprofile%\­AppData\­Roaming\­Microsoft\­Windows\­Start Menu\­Programs\­Startup\­*.js

The worm may create copies of itself in the folder:

  • %temp%

The worm terminates processes with any of the following strings in the name:

  • regedit
  • windows-kb
  • mrt
  • rstrui
  • msconfig
  • procexp
  • avast
  • avg
  • mse
  • ptinstall
  • sdasetup
  • issetup
  • fs20
  • mbam
  • housecall
  • hijackthis
  • rubotted
  • autoruns
  • avenger
  • filemon
  • gmer
  • hotfix
  • klwk
  • mbsa
  • procmon
  • regmon
  • sysclean
  • tcpview
  • unlocker
  • wireshark
  • fiddler
  • resmon
  • perfmon
  • msss
  • cleaner
  • otl
  • roguekiller
  • fss
  • zoek
  • emergencykit
  • dds
  • ccsetup
  • vbsvbe
  • combofix

The worm may display a fake error message:

The worm may turn off the computer.


The worm can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.