The worm copies its executable file to one of the following folders: %APPDATA%, %TEMP%, or %STARTUP%. It then modifies registry keys so that it launches automatically when the operating system starts up. When a removable drive is detected, the worm copies its executable file to the root of the file system on the disk. The newly copied executable malware file, as well as all files and folders at the root of the disk, are assigned the System and Hidden attributes by Worm.VBS.Dinihou. In addition, the worm creates shortcuts (files with the .lnk extension) to imitate all files and folders at the root of the disk. The user sees these shortcuts instead of the real folders and files. When the user tries to open one of these “files” or “folders”, the worm is launched.
The worm communicates with its command and control server via HTTP. To inform the server that the worm is ready to accept commands, it sends an HTTP-POST query to the relative URL /is-ready. In response, the server sends a command ID and optional list of command parameters.
Geographical distribution of attacks by the Worm.VBS.Dinihou family
Geographical distribution of attacks during the period from 27 September 2014 to 27 September 2015
Top 10 countries with most attacked users (% of total attacks)
* Percentage among all unique Kaspersky Lab users worldwide who were attacked by this malware