Home / malwarePDF  

Worm:Win32/Vobfus


First posted on 24 January 2013.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Vobfus.

Explanation :



Worm:Win32/Vobfus is a family of worms that spread via removable drives, and downloads additional malware from remote servers; these obfuscated worms are written in Visual Basic (VB).



Installation

Upon execution, Worm:Win32/Vobfus creates mutex named "A" to make sure that only a single copy of its process is running on your computer at any one time.

It then drops a copy of itself in the €œC:\Documents and Settings\<user>€ folder using a random file name, for example:

C:\documents and settings\Administrator\zkyip.exe.exe

It then creates the following registry entry so it runs each time you start your computer:

In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random>
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

For example:

In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zkyip"
With data: "C\documents and settings\administrator\zkyip.exe /f"

In Subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

For example:

In Subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\administrator\zkyip.exe /t"

Spreads via...

Network and removable drives

The worm copies itself to the root directory of the network and removable drives using "rcx<hexadecimal number>.tmp", then renames this TMP file to any of the following:

  • passwords.exe
  • porn.exe
  • secret.exe
  • sexy.exe
  • subst.exe
  • system.exe


The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. you access this drive from a computer supporting the Autorun feature, the worm is launched automatically.



Payload

Modifies computer settings

Worm:Win32/Vobfus modifies the following registry entries to prevent you from changing how hidden files and folders are displayed in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Drops, downloads and executes other malware

Worm:Win32/Vobfus drops additional malware in the "C:\Documents and Settings\<user>" folder using a random file names such as:

C:\documents and settings\<user>\joc.exe

To do this, Worm:Win32/Vobfus also tries to contact the following remote host, using TCP port 8000:

  • ns1.helpchecks.com
  • ns1.player1532.com


The dropped and/or downloaded malware may be any of the following:

  • Win32/Alureon
  • Win32/Hiloti
  • Win32/Renos
  • Win32/Virut




Analysis by Edgardo Diaz Jr

Last update 24 January 2013

 

TOP

Malware :