Home / malwarePDF  

Worm:Win32/Vobfus.C


First posted on 08 April 2019.
Source: Microsoft

Aliases :

Worm:Win32/Vobfus.C is also known as W32/Vobfus.A, Trojan.VB.Chinky.C, Trojan.Agent-122844, Win32/AutoRun.VB.GA, Worm.Win32.VBNA.idv, W32/VBNA.worm, VBWorm.XPH, W32/Vobfus.gen.worm, W32/SillyFDC-DV.

Explanation :

Installation When run, the worm drops a copy of itself into the logged on user's profile directory as a random six character string as in this example:   %USERPROFILE%viuoqu.exe   The registry is modified to run the dropped copy at each Windows start, as in this example:   Adds value: "viuoqu" With data: "%USERPROFILE%viuoqu.exe" To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Spreads Via… Removable drives Worm:Win32/Vobfus.C enumerates removable drives and drops copies of the worm executable (for example, "viuoqu.exe" and "viuoqu.scr") under the root folder of each removable drive:   viuoqu.exe viuoqu.scr   The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy with ".exe" file extension. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically.   Remote drives Worm:Win32/Vobfus.C drops copies of the worm executable (for example, "viuoqu.exe" and "viuoqu.scr") under the root folder of each writeable remote drive:   viuoqu.exe viuoqu.scr   The worm also creates shortcuts under the root directory on remote drives that have the same name as existing folders in the root directory, f or example:  
ew folder.lnk passwords.lnk documents.lnk pictures.lnk music.lnk
video.lnk   The shortcut links to the dropped worm executable with ".scr" file extension. Once the users opens the link, the worm copy will execute. Payload Modifies Windows settings The worm will disable viewing of Windows system files with attributes "hidden" by modifying the following registry data:   Modifies value: "ShowSuperHidden" With data: "0" To subkey: HKCUSoftwareMicrosoftWindowsCurrentersionExplorerAdvanced   Downloads other malware The worm also attempts connecting to a remote host "ns.theimageparlour.net" using TCP port 8000 to download further malicious binaries.   Analysis by Lena Lin

Last update 08 April 2019

 

TOP

Malware :

Family: