Home / malwarePDF  

Worm:Win32/Vobfus.SW


First posted on 30 August 2013.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Vobfus.SW.

Explanation :

Threat behavior Worm:Win32/Vobfus.SW is a member of Win32/Vobfus - a family of worms that spreads via network drives and removable drives. It may also download and execute arbitrary files.

Installation

Worm:Win32/Vobfus.SW creates the following files on an affected computer:

  • c:\documents and settings\administrator\yaonat.exe
  • c:\documents and settings\administrator\local settings\temp\7a83_appcompat.txt


Spreads via€¦

Removable drives
Worm:Win32/Vobfus.SW may create the following files on targeted drives when spreading:

  • <targeted drive>:\...exe
  • <targeted drive>:\..exe
  • <targeted drive>:\passwords.exe
  • <targeted drive>:\porn.exe
  • <targeted drive>:\rcx10.tmp
  • <targeted drive>:\rcx11.tmp
  • <targeted drive>:\rcx12.tmp
  • <targeted drive>:\rcx13.tmp
  • <targeted drive>:\rcx14.tmp
  • <targeted drive>:\rcx15.tmp
  • <targeted drive>:\rcx16.tmp
  • <targeted drive>:\rcx17.tmp
  • <targeted drive>:\rcx18.tmp
  • <targeted drive>:\rcx19.tmp
  • <targeted drive>:\rcxe.tmp
  • <targeted drive>:\rcxf.tmp
  • <targeted drive>:\secret.exe
  • <targeted drive>:\sexy.exe
  • <targeted drive>:\subst.exe
  • <targeted drive>:\yaonat.exe

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer. It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.

Payload

Contacts remote host
Worm:Win32/Vobfus.SW may contact a remote host at ns1.spansearcher.net using port 8000. Commonly, malware may contact a remote host for the following purposes:
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer

This malware description was produced and published using our automated analysis system's examination of file SHA1 b16ecebb6b9b6f801353bb909d736f5a41f8843d.Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

c:\documents and settings\administrator\yaonat.exe
c:\documents and settings\administrator\local settings\temp\7a83_appcompat.txt

Last update 30 August 2013

 

TOP

Malware :

Family: