JS/Bondat [Threat Name] go to Threat
JS/Bondat.A [Threat Variant Name]
Category | worm |
Size | 27023 B |
Aliases | Worm:JS/Bondat.A (Microsoft) |
VBS/Worm.AA.virus (AVG) |
Short description
JS/Bondat.A is a worm that spreads via removable media.
Installation
When executed, the worm creates the following files:
- %userprofile%\%variable1%\%variable2%.js
- %userprofile%\AppData\Roaming\%variable1%\%variable2%.js
A string with variable content is used instead of %variable1-2% .
The %userprofile%\%variable1%\, %userprofile%\AppData\Roaming\%variable1%\ folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.
The worm creates copies of the following files (source, destination):
- %systemroot%\system32\wscript.exe, %userprofile%\%variable1%\%variable3%
- %systemroot%\system32\wscript.exe, %userprofile%\AppData\Roaming\%variable1%\%variable3%
The %variable3% consists of some of the following strings:
- win
- cmd
- disk
- dsk
- ms
- hp
- intel
- amd
- dll
- tcp
- udp
- process
- proc
- monitor
- mon
- sys
- host
- mgr
- update
- updater
- 64
- 32
The worm creates the following files:
- %userprofile%\Start Menu\Programs\Startup\Windows Explorer.lnk
- %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk
The file is a shortcut to a malicious file.
This causes the worm to be executed on every system start.
Spreading on removable media
The worm may create copies of itself on removable drives.
The worm copies itself to the following location:
- %removabledrive%\.Trashes\%variable4%\%variable5%.js
A variable numerical value is used instead of %variable4% . A string with variable content is used instead of %variable5% .
The worm searches for files and folders in the root folders of removable drives.
When the worm finds a file matching the search criteria, it creates a new file.
The name of the file may be based on the name of an existing file or folder. The extension of the file is ".lnk" .
The file is a shortcut to a malicious file.
Found files are moved to the following location:
- %removabledrive%\.Trashes\
The %removabledrive%\.Trashes\ folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.
Information stealing
The worm collects the following information:
- computer name
- user name
- operating system version
- language settings
The worm attempts to send gathered information to a remote machine.
The worm contains a URL address. The HTTP protocol is used in the communication.
Other information
The worm terminates its execution if it detects that it's running in a specific virtual environment.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = 0
The worm may create the following files:
- %userprofile%\%variable1%\%variable6%
- %userprofile%\AppData\Roaming\%variable1%\%variable6%
- %userprofile%\%variable1%\%variable7%
- %userprofile%\AppData\Roaming\%variable1%\%variable7%
- %userprofile%\%variable1%\%variable8%
- %userprofile%\AppData\Roaming\%variable1%\%variable8%
- %userprofile%\%variable1%\%variable9%
- %userprofile%\AppData\Roaming\%variable1%\%variable9%
A string with variable content is used instead of %variable6-9% .
The worm may delete the following files:
- %userprofile%\%variable1%\*.exe
- %userprofile%\AppData\Roaming\%variable1%\*.exe
- %userprofile%\Start Menu\Programs\Startup\*.js
- %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
The worm may create copies of itself in the folder:
- %temp%
The worm terminates processes with any of the following strings in the name:
- regedit
- windows-kb
- mrt
- rstrui
- msconfig
- procexp
- avast
- avg
- mse
- ptinstall
- sdasetup
- issetup
- fs20
- mbam
- housecall
- hijackthis
- rubotted
- autoruns
- avenger
- filemon
- gmer
- hotfix
- klwk
- mbsa
- procmon
- regmon
- sysclean
- tcpview
- unlocker
- wireshark
- fiddler
- resmon
- perfmon
- msss
- cleaner
- otl
- roguekiller
- fss
- zoek
- emergencykit
- dds
- ccsetup
- vbsvbe
- combofix
The worm may display a fake error message:
The worm may turn off the computer.
The worm can download and execute a file from the Internet.