Home / malware Worm:Win32/Vobfus.R
First posted on 08 April 2019.
Source: MicrosoftAliases :
Worm:Win32/Vobfus.R is also known as Worm.Win32.VBNA.aiua, Virus identified Worm/VB.12.O, TR/Dldr.Gaat.B, Trojan.Generic.4481229, Win32/Vobfus!generic, Trojan.Inject.8955, Worm.Win32.VBNA, Downloader-CJX, Mal/AutoRun-P, W32.Changeup, WORM_VBNA.BQX.
Explanation :
Worm:Win32/Vobfus.R is a detection of obfuscated Visual Basic (VB) complied malware that spreads via removable drives and downloads additional malware from remote servers. Installation Worm:Win32/Vobfus.R drops a file with 'hidden', 'system' and 'read-only' attributes, with a random name under %UserProfile%; for example, houtor.exe. This file is detected as Worm:Win32/Vobfus.R. Worm:Win32/Vobfus.R modifies the following registry entries to run the dropped file on Windows start: Adds value: "
" With data: "%UserProfile% " To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Worm:Win32/Vobfus.R modifies following registry entries to hide the 'hidden' system attribute file in Windows Explorer: Adds value: "ShowSuperHidden" with data: "0" To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Spreads via… Removable drives Worm:Win32/Vobfus.R spreads itself by dropping an "autorun.inf" and a copy of itself to the root of all removable drives. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. The copy of itself can be either .exe or .scr; the file name is same as the name the worm uses when it installs under %UserProfile%. Worm:Win32/Vobfus.R also drops shortcut links to the root of all removable drives, that point to the dropped executable files. The worm has been observed using the following link names: new folder.lnk passwords.lnk documents.lnk pictures.lnk music.lnk video.lnk subst.lnk ..lnk ...lnk Payload Terminates processes and threads Worm:Win32/Vobfus.R prevents security software from terminating its processes by patching two Windows system APIs (TerminateProcess and TerminateThread). Downloads and executes arbitrary files Worm:Win32/Vobfus.R tries to download additional files from a remote server under %UserProfile%; we have observed the worm contacting the following domains: ns2.thepicturehut.net ns4.thepicturehut.net We have observed the worm downloading files detected as Trojan:Win32/Hiloti and Trojan:Win32/Alureon.CT. Analysis by Shawn Wang Last update 08 April 2019
