Home / malware
First posted on 10 December 2019.
Worm:Win32/Vobfus.gen!A is also known as W32/Vobfus.E.gen!Eldorado, Worm/Generic.BNDU, TR/Drop.PicHut.B, Trojan.Autorun.ATA, Win32/Vobfus.FB, Win32.HLLW.Autoruner.25109, Win32/AutoRun.VB.RP, Worm.Win32.VBNA.akzw, Downloader-CJX.gen.g, W32/VobfusLNK.A, W32/Dulkis-A, W32.Changeup.C, WORM_VBNA.SMN, Worm.VBNA.Gen.3.
Win32/Vobfus.gen!A is a generic detection certain variants of Win32/Vobfus, a worm that spreads via removable drives and downloads and executes arbitrary files. Downloaded files may include additional malware. InstallationWhen executed, the worm copies itself to "%HOMEPATH%
.exe" and sets a corresponding registry entry to execute this copy at each windows start: Adds value: " "With data: "%HOMEPATH% .exe"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Spreads via… Removable drivesThe worm looks for removable drives and then copies itself to the root directory of each located drive as " .exe". Win32/Vobfus.gen!A then writes an autorun configuration file named "autorun.inf" pointing to the copy of the worm. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the worm is launched automatically. The worm may also drop the following files on the removable drive: z .lnk - detected as Exploit:Win32/CplLnk.B z .dll Payload Downloads and executes arbitrary filesThe worm connects to a remote host to download and execute files, as well as to update itself. In the wild, we have observed Vobfus contacting all-internal.info for this purpose.
At the time of writing Win32/Vobfus.gen!A had been observed downloading variants of the following malware families: Win32/Renos Win32/Alureon Win32/Virut
Analysis by Ray Roberts
Last update 10 December 2019