Home / malwarePDF  

Worm:Win32/Vobfus.gen!D


First posted on 21 March 2019.
Source: Microsoft

Aliases :

Worm:Win32/Vobfus.gen!D is also known as Trojan.Win32.VBKrypt.uut, W32/Suspicious_Gen2.FBJAI, Trojan.DR.Agent2!Fm3VGAT05rA, TR/Drop.Conduct.A, Win32.HLLW.Autoruner.34873, Trojan.Win32.VBKrypt.uut, Trojan.ADH.

Explanation :

Worm:Win32/Vobfus.gen!D is a generic detection for an obfuscated worm written in Visual Basic that spreads via removable drives. Installation When executed, the worm has been observed making a copy of itself in the %USERPROFILE% folder using a random file name, for example:   %USERPROFILE%qeakie.exe   Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the User Profile folder for Windows 2000 and NT is C:Documents and Settings or C:Users; and for XP, Vista, and 7 is C:Users.   The worm also creates a registry entry to ensure its execution at Windows start: In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRunSets value: "qeakie"With data: "c:documents and settingsadministratorqeakie.exe /s" The worm utilizes code injection to hinder detection and removal, and may also modify itself every time it creates a copy (of itself) in an effort to avoid detection. Spreads via… Removable drives The worm writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.   The worm also creates .lnk shortcut files named after any folders on the drive which point to the malware, for example:   :
ew folder.lnk :documents.lnk :pictures.lnk :music.lnk :video.lnk   In the wild, we have observed some Vobfus variants creating shortcut files that exploit the following vulnerability:   Microsoft Security Bulletin MS10-046 Payload Contacts remote host Worm:Win32/Vobfus.gen!D attempts to connect to the website codeconline.biz via TCP port 8000, possibly to download other malware or allow communication with a remote attacker.   Modifies system settings Worm:Win32/Vobfus.gen!D stops the display of files that have 'system' and 'hidden' attributes by making the following registry modification:   In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Sets value: "ShowSuperHidden" With data: "0"   Analysis by Ray Roberts

Last update 21 March 2019

 

TOP