Home / malwarePDF  

Worm:Win32/Vobfus.U


First posted on 17 February 2019.
Source: Microsoft

Aliases :

Worm:Win32/Vobfus.U is also known as Worm/VB.12.W, Win32.HLLW.Autoruner.25089, Downloader-CJX.gen.f, Worm.VBNA.Gen.3.

Explanation :

Worm:Win32/Vobfus.U is a detection of obfuscated Visual Basic (VB) complied malware that spreads via removable drives and downloads additional malware from remote servers. This variant of Win32/Vobfus is a minor variation of Worm:Win32/Vobfus.R. Installation Worm:Win32/Vobfus.U drops a file with 'hidden', 'system' and 'read-only' attributes, with a random name under %UserProfile%; for example, houtor.exe. This file is detected as Worm:Win32/Vobfus.U.   Worm:Win32/Vobfus.U modifies the following registry entries to run the dropped file on Windows start:   Adds value: "" With data: "%UserProfile%" To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun   Worm:Win32/Vobfus.U modifies following registry entries to hide the 'hidden' system attribute file in Windows Explorer:   Adds value: "ShowSuperHidden" with data: "0" To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Spreads via… Removable drives Worm:Win32/Vobfus.U spreads itself by dropping an "autorun.inf" and a copy of itself to the root of all removable drives. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.  The copy of itself can be either .exe or .scr; the file name is same as the name the worm uses when it installs under %UserProfile%.   Worm:Win32/Vobfus.U also drops shortcut links to the root of all removable drives, that point to the dropped executable files. The worm has been observed using the following link names:   new folder.lnk passwords.lnk documents.lnk pictures.lnk music.lnk video.lnk subst.lnk ..lnk ...lnk Payload Terminates processes and threads Worm:Win32/Vobfus.U prevents security software from terminating its processes by patching two Windows system APIs (TerminateProcess and TerminateThread).  Downloads and executes arbitrary files Worm:Win32/Vobfus.U tries to download additional files from a remote server under %UserProfile%; we have observed the worm contacting the following domains:  ns2.thepicturehut.net ns4.thepicturehut.net   We have observed the worm downloading files detected as Trojan:Win32/Hiloti and Trojan:Win32/Alureon.CT.   Analysis by Dan Kurc

Last update 17 February 2019

 

TOP