Home / malwarePDF  

Worm:Win32/Vobfus.gen!N


First posted on 12 October 2019.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Vobfus.gen!N.

Explanation :

Worm:Win32/Vobfus.gen!N is the generic detection for obfuscated Visual Basic (VB)-compiled malware that spread via removable drives and download additional malware from remote servers.

Installation

Upon execution, Worm:Win32/Vobfus.gen!N creates a mutex named "A" to make sure that only a single copy of its process is executing in the computer at any given time.

It then drops a copy of itself in the %USERPROFILE% folder using a random file name, for example:

%USERPROFILE%woioso.exe

It then creates the following registry entry so that this copy is executed at each Windows start:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value:
With data: "%USERPROFILE% /"

For example:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "woioso"
With data: "%USERPROFILE%woioso.exe/f"

Spreads via...

Network and removable drives

Worm:Win32/Vobfus.gen!N copies itself to the root folder of all available network and removable drives with the file name "rcx.tmp". It then renames this file to any of the following:

subst.exe secret.exe sexy.exe porn.exe passwords.exe

It writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

Payload

Modifies computer settings

Worm:Win32/Vobfus.gen!N modifies the following registry entries to prevent the user from changing how hidden files and folders are displayed in Windows Explorer:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Sets value: "ShowSuperHidden"
With data: "0"

Drops and downloads arbitrary files

Worm:Win32/Vobfus.gen!N drops additional malicious files in the %USERPROFILE% folder using a random file name, such as:

%USERPROFILE%joc.exe

Worm:Win32/Vobfus.gen!N also tries to contact to the remote host "ns1.player32.com" using TCP port 8000, in order to download additional malware into the computer.

These dropped and/or downloaded malware are commonly detected as any of the following:

Win32/Hiloti Win32/Alureon Win32/Renos Win32/Virut

Analysis by Edgardo Diaz

Last update 12 October 2019

 

TOP

Malware :

Family: