Home / malware Worm:Win32/Vobfus
First posted on 24 January 2013.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Vobfus.
Explanation :
Worm:Win32/Vobfus is a family of worms that spread via removable drives, and downloads additional malware from remote servers; these obfuscated worms are written in Visual Basic (VB).
Installation
Upon execution, Worm:Win32/Vobfus creates mutex named "A" to make sure that only a single copy of its process is running on your computer at any one time.
It then drops a copy of itself in the €œC:\Documents and Settings\<user>€ folder using a random file name, for example:
C:\documents and settings\Administrator\zkyip.exe.exe
It then creates the following registry entry so it runs each time you start your computer:
In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random>
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"
For example:
In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zkyip"
With data: "C\documents and settings\administrator\zkyip.exe /f"
In Subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"
For example:
In Subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\administrator\zkyip.exe /t"
Spreads via...
Network and removable drives
The worm copies itself to the root directory of the network and removable drives using "rcx<hexadecimal number>.tmp", then renames this TMP file to any of the following:
- passwords.exe
- porn.exe
- secret.exe
- sexy.exe
- subst.exe
- system.exe
The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. you access this drive from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Modifies computer settings
Worm:Win32/Vobfus modifies the following registry entries to prevent you from changing how hidden files and folders are displayed in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Drops, downloads and executes other malware
Worm:Win32/Vobfus drops additional malware in the "C:\Documents and Settings\<user>" folder using a random file names such as:
C:\documents and settings\<user>\joc.exe
To do this, Worm:Win32/Vobfus also tries to contact the following remote host, using TCP port 8000:
- ns1.helpchecks.com
- ns1.player1532.com
The dropped and/or downloaded malware may be any of the following:
- Win32/Alureon
- Win32/Hiloti
- Win32/Renos
- Win32/Virut
Analysis by Edgardo Diaz Jr
Last update 24 January 2013