Home / malware Worm:Win32/Vobfus.MD
First posted on 29 November 2012.
Source: MicrosoftAliases :
Worm:Win32/Vobfus.MD is also known as Worm/Win32.VBNA (AhnLab), WORM_VOBFUS.SMIS (Trend Micro).
Explanation :
Worm:Win32/Vobfus.MD is a worm that spreads via removable drives and downloads additional malware from a remote server. It is a member of the Win32/Vobfus family.
We have observed Worm:Win32/Vobfus.MD attempting to download variants of TrojanDownloader:Win32/Beebone (a trojan that downloads other malware, including variants of the Win32/Acbot family of trojans that spread through social media websites).
Installation
When run, Worm:Win32/Vobfus.MD drops a copy of itself as an executable file (EXE) in the %USERPROFILE% folder using a random file name, for example "zuaixap.exe" or "nuaeku.exe".
Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the User Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>".
Worm:Win32/Vobfus.MD modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "%USERPROFILE%\<malware file name> /<random parameter>"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "peuolig"
With data: "C:\Users\<user name>\peuolig.exe /n"
Spreads via...
Network and removable drives
Worm:Win32/Vobfus.MD copies itself to the root folder of all available network and removable drives with the file name "rcx<random>.tmp", for example "rcx11.tmp".
It then renames this file to any of the following:
- passwords.exe
- porn.exe
- secret.exe
- sexy.exe
- subst.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed, the malware may be launched automatically.
This is particularly common malware behavior, generally used in order to spread malware from computer to computer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Payload
Downloads arbitrary files
Worm:Win32/Vobfus.MD attempts to contact the remote server "ns1.helpchecks.net" to receive instructions, including the instruction to download variants of TrojanDownloader:Win32/Beebone.
TrojanDownloader:Win32/Beebone is a family of trojans that download other malware, including variants of the Win32/Acbot family of trojans that spread through social media websites.
Modifies computer settings
Worm:Win32/Vobfus.MD modifies the following registry entry to prevent the display of files that have "SYSTEM" and "HIDDEN" attributes:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Worm:Win32/Vobfus.MD also modifies the following registry entry to disable your computer's Automatic Updates feature:
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Sets value: "NoAutoUpdate"
With data: "1"
Related encyclopedia entries
TrojanDownloader:Win32/Beebone
Win32/Vobfus
Win32/Acbot
Analysis by Patrick Estavillo
Last update 29 November 2012
