Home / malware Worm:Win32/Vobfus.QB
First posted on 22 July 2019.
Source: MicrosoftAliases :
Worm:Win32/Vobfus.QB is also known as W32/Autorun.worm.aaeh!heur, Worm.Win32.Vobfus.dsxm, W32.Changeup.
Explanation :
Worm:Win32/Vobfus.QB is a member of Win32/Vobfus - a family of worms that spreads via network drives and removable drives. It may also download and execute arbitrary files. Installation When executed, Worm:Win32/Vobfus.QB copies itself to the following locations:
c:documents and settingsadministratorpasswords.exe c:documents and settingsadministratorporn.exe c:documents and settingsadministratorsecret.exe c:documents and settingsadministratorsexy.exe c:documents and settingsadministratoryaabee.exe
The malware creates the following files on an affected computer:
c:documents and settingsadministrator
cx10.tmp c:documents and settingsadministrator
cx11.tmp c:documents and settingsadministrator
cx12.tmp c:documents and settingsadministrator
cx13.tmp c:documents and settingsadministrator
cx14.tmp c:documents and settingsadministrator
cx15.tmp c:documents and settingsadministrator
cx16.tmp c:documents and settingsadministrator
cx17.tmp c:documents and settingsadministrator
cx18.tmp c:documents and settingsadministrator
cx19.tmp c:documents and settingsadministrator
cxe.tmp c:documents and settingsadministrator
cxf.tmp Spreads via… Removable and network drives Worm:Win32/Vobfus.QB may create the following files on targeted drives when spreading:
:passwords.exe :porn.exe :secret.exe :sexy.exe :subst.exe :yaabee.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer. It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. Payload Contacts remote host Worm:Win32/Vobfus.QB may contact a remote host at ns1.datetoday1.org using port 7001. Commonly, malware may contact a remote host for the following purposes: To report a new infection to its author To receive configuration or other data To download and execute arbitrary files (including updates or additional malware) To receive instruction from a remote attacker To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 73bcfca018a5913b9f7221cf9e9281b3057dcf2e.Last update 22 July 2019
