Remove H-worm VBS worm from the System - Como, Tecnologia e Fórum de Segurança PC |

Remove H-worm VBS worm from the System

Tipoworm de computador, RATO
Pequena descriçãoH-worm is a VBS-based worm with RAT functionalities that can be employed in targeted attacks and spam campaigns.
Os sintomasThe worm can be spread to steal sensitive data.
distribuição MétodoCorrupted links, -mails de spam, a corrupted VBS file.
ferramenta de detecçãoBaixar Malware Removal Tool, to See If Your System Has Been Affected By H-worm

A Computer worm is a malicious piece of software that should be removed instantly from the infected PC. H-worm falls under the category of VBS (Visual Basic Script) vermes. It is also reported to have RAT (remote access Trojan) capabilities which make it even worse. The name ‘H-worm’ comes from the worm’s author – an individual hacker going by the nickname Houdini. According to security researchers at FireEye, the hacker is most likely based in Algeria.
The H-worm has been used primarily in targeted attacks on companies in the energy sector. Contudo, it has been spotted in other types of attacks via email attachments and corrupted links.

H-worm Technical Description. RAT and Command & Control Server

The H-worm attacks starts off with a simple VBS file that may be hidden in a PE executable dropper. De acordo com a pesquisa, in specific attacks, multiple layers of obfuscation can be added to the worm. Upon analyzing such fragments, researchers at FireEye discovered that they were baffled with:

  • Custom Base64 encoding.
  • Several levels of standard Base64 encoding known as Safa Crypter.
  • Character substitutions.

The H-worm is reported to have another, Autoit version known as the ‘underworld’ variant. Contudo, it has the functions of the VBS type.

In terms of the successful Command&Control contact, the worm will generate a network telemetry (beacon). Como um resultado, multiple pieces of sensitive identification details will be sent out in the User-Agent field.

Além disso, H-worm is designed to employ multiple remote commands such as:

  • Executar
  • Atualizar
  • Desinstalar
  • Enviar
  • Site-send
  • Recv
  • Enum-driver
  • Enum-faf
  • Enum-process
  • Cmd-shell
  • Excluir
  • Exit-process
  • Dormir

pesquisadores da FireEye have also uncovered the builder and the controller interface of H-worm. It control panel is written in the Delphi programming language. Delphi is an IDE (Integrated Development Environment) for console, Área de Trabalho, web and mobile applications.

Some of the worm’s malicious features such as the password grabber and the USB spreading functionality were not enabled in the analyzed version. Contudo, those can be active in newer variants of H-worm.

An examination of the infrastructure of the Command&Control server unveils that it is shared by some infamous RATs (Trojans de acesso remoto) tal como:

NjW0rm, NjRat/LV, XtremeRAT, PoisonIvy

The cyber criminals who have written those probably own a lot more RATs to initiate multiple malicious attacks. Security specialists believe that H-worm shares the same code base with njq8. It remains unclear exactly how related they are, but it is easy to assume that njq8 is a group of people specializing in the development of RATs.

Other Worms to Keep Away from:

Minhoca:VBS / Tibni.A



Who Is H-worm’s Creator Houdini?

A vast security research on Houdini indicates that the hacker has a portal to showcase his work that also hosts a demo video of H-worm. The way the portal was written reveals that the hacker is proficient in French and Arabic, hence the conclusion he was from Algeria.

What to Do If Affected by H-Worm?

Many worms exploit network vulnerabilities to spread across the Web. A spamming technique may also be employed. To increase your system’s strength against malware, it is highly recommended to sustain a powerful anti-malware program. Além disso, inserting unknown and unchecked USB drives and external media is also considered quite unsafe.

There are several more security tips to follow in order to stay protected against worms and RATs:

  • Choose a secure ISP (Provedor de internet).
  • Enable automatic Windows updates.
  • Enable the Windows Firewall.
  • Update your browser to bypass zero-day attacks.
  • Backup your data.
  • Avoid p2p file sharing.

If you feel like you need to know more about worms and RATs, you can refer to our article about the most popular Trojan attacks in 2015 .

NOTA! notificação substancial sobre o H-worm ameaça: Removal of H-worm requires expert knowledge. Contudo, even if your computer skills are not at a professional level, Não se preocupe. You can rid the system of the malicious software, usando um ferramenta de remoção de malware.
Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar