Home / malwarePDF  

Worm:Win32/Vobfus.NI


First posted on 31 January 2013.
Source: Microsoft

Aliases :

Worm:Win32/Vobfus.NI is also known as Worm/Win32.Vobfus (AhnLab), Worm.Win32.Vobfus.atgt (Kaspersky), W32/Vobfus.CILM (Norman), Worm/Vobfus.atgtan (Avira), Win32/VBObfus.JO trojan (ESET), W32/Autorun.worm.aaeh (McAfee), W32/VBNA-AM (Sophos), WORM_VOBFUS.SMIS (Trend Micro).

Explanation :



Installation

Worm:Win32/Vobfus.NI may drop several copies of itself as the following:

  • %UserProfile%\passwords.exe
  • %UserProfile%\porn.exe
  • %UserProfile%\secret.exe
  • %UserProfile%\sexy.exe
  • %UserProfile%\vbxuin.exe
  • %UserProfile%\rcx10.tmp
  • %UserProfile%\rcx11.tmp
  • %UserProfile%\rcx12.tmp
  • %UserProfile%\rcx13.tmp
  • %UserProfile%\rcx14.tmp
  • %UserProfile%\rcx15.tmp
  • %UserProfile%\rcx16.tmp
  • %UserProfile%\rcx17.tmp
  • %UserProfile%\rcx18.tmp
  • %UserProfile%\rcx19.tmp
  • %UserProfile%\rcx1a.tmp
  • %UserProfile%\rcx1b.tmp
  • %UserProfile%\rcx1c.tmp
  • %UserProfile%\rcx1d.tmp
  • %UserProfile%\rcx1e.tmp
  • %UserProfile%\rcx7.tmp
  • %UserProfile%\rcx8.tmp
  • %UserProfile%\rcx9.tmp
  • %UserProfile%\rcxa.tmp
  • %UserProfile%\rcxb.tmp
  • %UserProfile%\rcxc.tmp
  • %UserProfile%\rcxd.tmp
  • %UserProfile%\rcxe.tmp
  • %UserProfile%\rcxf.tmp


Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the User Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>".

Worm:Win32/Vobfus.NI also creates the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "vbxuin"
With data: "%UserProfile%\vbxuin.exe /i"

Spreads via...

Removable drives

Worm:Win32/Vobfus.NI may create the following copies on available drives:

  • <Drive>:\passwords.exe
  • <Drive>:\porn.exe
  • <Drive>:\qxfiah.exe
  • <Drive>:\secret.exe
  • <Drive>:\sexy.exe
  • <Drive>:\subst.exe


It also places an "autorun.inf" file in the root folder of the drive, which allows the copies to run automatically whenever the drive is accessed and Autorun is enabled.

It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.



Payload

Changes computer settings

Worm:Win32/Vobfus.NI makes the following changes in your computer:

It prevents Windows Explorer from showing hidden files:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

It also disables Automatic Updates:

In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Sets value: "NoAutoUpdate"
With data: "1"

Downloads and runs arbitrary files

Worm:Win32/Vobfus.NI may contact a remote server to check where it can download other files. In the wild, we've observed this worm connecting to "ns1.helpchecks.com".



Analysis by Jireh Sanico

Last update 31 January 2013

 

TOP

Malware :

Family: