Home / malware

PDF

Worm:Win32/Vobfus.P

First posted on 31 July 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Vobfus.P is also known as Worm.Win32.VBNA.alxm (Kaspersky), W32/VBNA.BR (Norman), Worm.VBNA.Gen.3 (VirusBuster), Worm/Generic.BPYE (AVG), Worm/VBNA.U (Avira), Win32.HLLW.Autoruner.25726 (Dr.Web), Worm.Win32.Vobfus (Ikarus), Downloader-CJX.gen.g (McAfee), Mal/SillyFDC-D (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), W32.Changeup.C (Symantec), WORM_VBNA.SMN (Trend Micro).

Explanation :

Win32/Vobfus.P is a worm that spreads via network drives and removable drives.
Top

Win32/Vobfus.P is a worm that spreads via network drives and removable drives. Installation When executed, the worm copies itself to %HOMEPATH%\<random letters>.exe and sets the following corresponding registry entry to execute this copy at each Windows start: Adds value: "<random letters>" With data: "%HOMEPATH%\<random letters>.exe" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Note: %HOMEPATH% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Homepath folder for Windows 2000 and NT is \Documents and Settings\<user>; and for XP, Vista, and 7 is \Users\<user>. Spreads via... Network and removable drives The worm copies itself to the root directory of the network and removable drives using the same random file name as its copy in %HOMEPATH%. The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Additional copies of the worm with the name "<random letters>.scr" may also be created. In addition, another copy of the worm is created using "<random letters>x.exe", with the following shortcut files referencing it:

..lnk

...lnk

Documents.lnk

Music.lnk

New Folder.lnk

Passwords.lnk

Pictures.lnk

Video.lnk

The worm exploits the LNK vulnerability by creating the following files:

z<two random characters>.lnk - detected as Exploit:Win32/CplLnk.B

z<two random characters>.dll

x.exe - detected as Win32/Vobfus.P

The dropped DLL will launch x.exe on vulnerable systems. Payload Modifies computer settings Win32/Vobfus.P marks its executables as hidden files, and periodically overwrites the following registry value to ensure the hidden files are not displayed in Windows Explorer: Adds value: "ShowSuperHidden" with data: "0" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Terminates processes and threads Win32/Vobfus.P protects its processes by modifying two Windows system APIs (TerminateProcess and TerminateThread). Any processes attempting to terminate the worm process will be crashed. Downloads and executes arbitrary files Win32/Vobfus.P tries to download additional files from a remote server via TCP port 8000. Some of the sites it has observed to be downloading files from are:

theimageparlour.net

thepicturehut.net

Analysis by Shali Hsieh

Last update 31 July 2010

 

TOP