Home / malwarePDF  

Worm:Win32/Vobfus.V


First posted on 23 July 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Vobfus.V is also known as W32/VB.BA!Eldorado (Authentium (Command), Worm.Win32.VBNA.aiuj (Kaspersky), Worm.VBNA.Gen.3 (VirusBuster), Worm/VB.12.O (AVG), Win32/Vobfus!generic (CA), Win32/AutoRun.VB.RD (ESET), Worm.Win32.Vobfus (Ikarus), Downloader-CJX.gen.a (McAfee), Mal/SillyFDC-D (Sophos), WORM_VBNA.PSP (Trend Micro).

Explanation :

Worm:Win32/Vobfus.V is a detection of obfuscated Visual Basic (VB) complied malware that spreads via removable drives and downloads additional malware from remote servers.
Top

Worm:Win32/Vobfus.V is a detection of obfuscated Visual Basic (VB) complied malware that spreads via removable drives and downloads additional malware from remote servers. Installation Worm:Win32/Vobfus.V drops a file with 'hidden', 'system' and 'read-only' attributes, with a random name under the %UserProfile% folder; for example, houtor.exe. This file is detected as Worm:Win32/Vobfus.V. Worm:Win32/Vobfus.V modifies the following registry entries to run the dropped file on Windows start: Adds value: "<random name>" With data: "%UserProfile%\<random name>" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Spreads via€¦ Removable drives Worm:Win32/Vobfus.V spreads itself by dropping an "autorun.inf" and a copy of itself to the root of all removable drives. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. The copy of itself can be either .exe or .scr; the file name is same as the name the worm uses when it installs under %UserProfile%. Worm:Win32/Vobfus.V also drops shortcut links to the root of all removable drives, that point to the dropped executable files. The worm has been observed using the following link names:

  • new folder.lnk
  • passwords.lnk
  • documents.lnk
  • pictures.lnk
  • music.lnk
  • video.lnk
  • subst.lnk
  • ..lnk
  • ...lnk
    • Payload Modifies computer settings Worm:Win32/Vobfus.V modifies the following registry entries to prevent the user from changing how hidden files and folders are displayed in Windows Explorer: Adds value: "ShowSuperHidden" with data: "0" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Terminates processes and threads Worm:Win32/Vobfus.V prevents security software from terminating its processes by patching two Windows system APIs (TerminateProcess and TerminateThread). Downloads and executes arbitrary files Worm:Win32/Vobfus.V tries to download additional files from a remote server under %UserProfile%; we have observed the worm contacting the following domains:
  • ns2.thepicturehut.net
  • ns4.thepicturehut.net
    • We have observed the worm downloading files detected as Trojan:Win32/Hiloti and Trojan:Win32/Alureon.CT.

    Analysis by Elda Dimakiling

    Last update 23 July 2010

     

    TOP

    Malware :

    Family: