Home / malwarePDF  

Worm:Win32/Vobfus.AAV


First posted on 22 July 2014.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Vobfus.AAV.

Explanation :

Threat behavior Worm:Win32/Vobfus.AAV is a member of Win32/Vobfus - a family of worms that spreads via network drives and removable drives. It may also download and execute arbitrary files.

Installation

Worm:Win32/Vobfus.AAV copies itself to the following locations:

  • c:\documents and settings\administrator\pafaaac\1.exe
  • c:\documents and settings\administrator\pafaaac\2.exe
  • c:\documents and settings\administrator\pafaaac\3.exe
  • c:\documents and settings\administrator\pafaaac\4.exe
  • c:\documents and settings\administrator\pafaaac\caaafap.exe
The malware creates the following files on your PC:
  • c:\documents and settings\administrator\pafaaac\rcx10.tmp
  • c:\documents and settings\administrator\pafaaac\rcx11.tmp
  • c:\documents and settings\administrator\pafaaac\rcx12.tmp
  • c:\documents and settings\administrator\pafaaac\rcx13.tmp
  • c:\documents and settings\administrator\pafaaac\rcx14.tmp
  • c:\documents and settings\administrator\pafaaac\rcx15.tmp
  • c:\documents and settings\administrator\pafaaac\rcx16.tmp
  • c:\documents and settings\administrator\pafaaac\rcx17.tmp
  • c:\documents and settings\administrator\pafaaac\rcx18.tmp
  • c:\documents and settings\administrator\pafaaac\rcx19.tmp
  • c:\documents and settings\administrator\pafaaac\rcx1a.tmp
  • c:\documents and settings\administrator\pafaaac\rcx1b.tmp
  • c:\documents and settings\administrator\pafaaac\rcx1c.tmp
  • c:\documents and settings\administrator\pafaaac\rcx1d.tmp
  • c:\documents and settings\administrator\pafaaac\rcx1e.tmp
  • c:\documents and settings\administrator\start menu\programs\startup\caaafap.lnk


Spreads via€¦

Removable drives
Worm:Win32/Vobfus.AAV can create the following files on targeted drives when spreading:

  • :\caaafap.exe
  • :\favourites.lnk
  • :\i love you.exe
  • :\movies.lnk
  • :\music.lnk
  • :\naked.exe
  • :\password.exe
  • :\passwords.lnk
  • :\pictures.lnk
  • :\private.lnk
  • :\search.lnk
  • :\secret folder.lnk
  • :\sexy.exe
  • :\subst.exe
  • :\webcam.exe

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Changes system security settings
Worm:Win32/Vobfus.AAV disables the Least Privileged User Account (LUA), also known as the ?administrator in Admin Approval Mode? user type. It does this by making the following registry modifications:

Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Note: Disabling the LUA allows all applications to run by default with all administrative privileges. You won't be asked for explicit consent. Contacts remote host
The malware might contact a remote host at ns1.dnsfor0.com using port 7001. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC

This malware description was produced and published using automated analysis of file SHA1 dad5bfefb8b1e7dd4dd7e3214eedf7cd9c84183c.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    c:\documents and settings\administrator\pafaaac\1.exe
    c:\documents and settings\administrator\pafaaac\2.exe
    c:\documents and settings\administrator\pafaaac\3.exe
    c:\documents and settings\administrator\pafaaac\4.exe
    c:\documents and settings\administrator\pafaaac\caaafap.exe
    c:\documents and settings\administrator\pafaaac\rcx10.tmp
    c:\documents and settings\administrator\pafaaac\rcx11.tmp
    c:\documents and settings\administrator\pafaaac\rcx12.tmp
    c:\documents and settings\administrator\pafaaac\rcx13.tmp
    c:\documents and settings\administrator\pafaaac\rcx14.tmp
    c:\documents and settings\administrator\pafaaac\rcx15.tmp
    c:\documents and settings\administrator\pafaaac\rcx16.tmp
    c:\documents and settings\administrator\pafaaac\rcx17.tmp
    c:\documents and settings\administrator\pafaaac\rcx18.tmp
    c:\documents and settings\administrator\pafaaac\rcx19.tmp
    c:\documents and settings\administrator\pafaaac\rcx1a.tmp
    c:\documents and settings\administrator\pafaaac\rcx1b.tmp
    c:\documents and settings\administrator\pafaaac\rcx1c.tmp
    c:\documents and settings\administrator\pafaaac\rcx1d.tmp
    c:\documents and settings\administrator\pafaaac\rcx1e.tmp
  • You see these entries or keys in your registry:
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Last update 22 July 2014

 

TOP