Home / malware Worm:Win32/Vobfus.RS
First posted on 11 July 2019.
Source: MicrosoftAliases :
Worm:Win32/Vobfus.RS is also known as W32/Autorun.worm.aaeh, Worm.Win32.Vobfus.egkw.
Explanation :
Worm:Win32/Vobfus.RS is a member of Win32/Vobfus - a family of worms that spreads via network drives and removable drives. It may also download and execute arbitrary files. Installation When executed, Worm:Win32/Vobfus.RS copies itself to the following locations:
c:documents and settingsadministratorpaiuce.exe c:documents and settingsadministratorpasswords.exe c:documents and settingsadministratorporn.exe c:documents and settingsadministratorsecret.exe c:documents and settingsadministratorsexy.exe c:documents and settingsadministratorcpasswords.exe c:documents and settingsadministratorcporn.exe c:documents and settingsadministratorcsecret.exe c:documents and settingsadministratorcsexy.exe
The malware creates the following files on an affected computer:
c:documents and settingsadministrator
cx10.tmp c:documents and settingsadministrator
cx11.tmp c:documents and settingsadministrator
cx12.tmp c:documents and settingsadministrator
cx13.tmp c:documents and settingsadministrator
cx14.tmp c:documents and settingsadministrator
cx15.tmp c:documents and settingsadministrator
cx16.tmp c:documents and settingsadministrator
cx17.tmp c:documents and settingsadministrator
cx18.tmp c:documents and settingsadministrator
cx19.tmp c:documents and settingsadministrator
cx1a.tmp c:documents and settingsadministrator
cx1b.tmp c:documents and settingsadministrator
cx1c.tmp c:documents and settingsadministrator
cx1d.tmp c:documents and settingsadministrator
cx1e.tmp c:documents and settingsadministrator
cx1f.tmp c:documents and settingsadministrator
cx20.tmp c:documents and settingsadministrator
cx21.tmp c:documents and settingsadministrator
cx22.tmp c:documents and settingsadministrator
cx23.tmp Spreads via… Removable and network drives Worm:Win32/Vobfus.RS may create the following files on targeted drives when spreading:
:paiuce.exe :passwords.exe :porn.exe :secret.exe :sexy.exe :subst.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer. It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. Payload Contacts remote host Worm:Win32/Vobfus.RS may contact a remote host at ns1.boxonline1.com using port 7005. Commonly, malware may contact a remote host for the following purposes: To report a new infection to its author To receive configuration or other data To download and execute arbitrary files (including updates or additional malware) To receive instruction from a remote attacker To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 fce604ed4575709311cc6a2c64f2ef4b400f3378.Last update 11 July 2019
