JS/BONDAT Worm Observed

Quick post, ran across a JS/BONDAT Worm variant and thought I would highlight some analysis and detection opportunities.

First Detection Opportunity
This is a JavaScript file being executed via wscript, while this does not always mean "malicious", I find that detecting on Wscript.exe with a command line of .js does catch a fair number of malware families. 

Of course, you may need to negate some false positives as you run across them, but this is a good start.

Second Detection Opportunity

From the above image, you can see Wscript.exe writing a .JS file. This may be a good item to key in on as well. Again, some minot false positive may exist, but those should be easy to negate.

Understanding the Javascript
The first thing to day with the JS is to beautify it... We can go from This:

To This:

right away we can see that some data about the victim is being collected. In the following screenshot we will see the JS code and the resulting network traffic.

Based on this we can see the attempted POST data. Simple enough to decode. I'll focus on the "Computer Name, User Name and Windows Version"

As we already knew just by looking at the code, we can see and confirm that the network traffic is sending out data about our victim. I thought this was a fun exercise, so I wanted to share the POST data.

Third Detection Opportunity
Finally, I want to point out 1 additional detection opportunity that I've seen common with every JS/Bondat I've observed. Look for changes to the registry key path HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ With changes to the registry key values of Hidden and ShowSuperHidden. Reference Screenshot below:

Again, you may have some false positive to rule out, perhaps you want to specify a parent process like wscript, or powershell or something from the %userprofile% path.

One final note, this worm spreads by copying itself to USB drives as well. An infected USB can then spread to each system its plugged into.