Home / malware Worm:Win32/Vobfus.gen!N
First posted on 08 November 2011.
Source: SecurityHomeAliases :
There are no other names known for Worm:Win32/Vobfus.gen!N.
Explanation :
Worm:Win32/Vobfus.gen!N is the generic detection for obfuscated Visual Basic (VB)-compiled malware that spread via removable drives and download additional malware from remote servers.
Top
Worm:Win32/Vobfus.gen!N is the generic detection for obfuscated Visual Basic (VB)-compiled malware that spread via removable drives and download additional malware from remote servers.
Installation
Upon execution, Worm:Win32/Vobfus.gen!N creates a mutex named "A" to make sure that only a single copy of its process is executing in the computer at any given time.
It then drops a copy of itself in the %USERPROFILE% folder using a random file name, for example:
%USERPROFILE%\woioso.exe
It then creates the following registry entry so that this copy is executed at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random value>
With data: "%USERPROFILE%\<malware file name> /<random parameter>"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "woioso"
With data: "%USERPROFILE%\woioso.exe/f"
Spreads via...
Network and removable drives
Worm:Win32/Vobfus.gen!N copies itself to the root folder of all available network and removable drives with the file name "rcx<hexadecimal number>.tmp". It then renames this file to any of the following:
- subst.exe
- secret.exe
- sexy.exe
- porn.exe
- passwords.exe
It writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Modifies computer settings
Worm:Win32/Vobfus.gen!N modifies the following registry entries to prevent the user from changing how hidden files and folders are displayed in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Drops and downloads arbitrary files
Worm:Win32/Vobfus.gen!N drops additional malicious files in the %USERPROFILE% folder using a random file name, such as:
%USERPROFILE%\joc.exe
Worm:Win32/Vobfus.gen!N also tries to contact to the remote host "ns1.player<removed>32.com" using TCP port 8000, in order to download additional malware into the computer.
These dropped and/or downloaded malware are commonly detected as any of the following:
- Win32/Hiloti
- Win32/Alureon
- Win32/Renos
- Win32/Virut
Analysis by Edgardo Diaz
Last update 08 November 2011