Home / malwarePDF  

Worm:Win32/Vobfus.P


First posted on 31 July 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Vobfus.P is also known as Worm.Win32.VBNA.alxm (Kaspersky), W32/VBNA.BR (Norman), Worm.VBNA.Gen.3 (VirusBuster), Worm/Generic.BPYE (AVG), Worm/VBNA.U (Avira), Win32.HLLW.Autoruner.25726 (Dr.Web), Worm.Win32.Vobfus (Ikarus), Downloader-CJX.gen.g (McAfee), Mal/SillyFDC-D (Sophos), Trojan.Win32.Generic!BT (Sunbelt Software), W32.Changeup.C (Symantec), WORM_VBNA.SMN (Trend Micro).

Explanation :

Win32/Vobfus.P is a worm that spreads via network drives and removable drives.
Top

Win32/Vobfus.P is a worm that spreads via network drives and removable drives. Installation When executed, the worm copies itself to %HOMEPATH%\<random letters>.exe and sets the following corresponding registry entry to execute this copy at each Windows start: Adds value: "<random letters>" With data: "%HOMEPATH%\<random letters>.exe" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Note: %HOMEPATH% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Homepath folder for Windows 2000 and NT is \Documents and Settings\<user>; and for XP, Vista, and 7 is \Users\<user>. Spreads via... Network and removable drives The worm copies itself to the root directory of the network and removable drives using the same random file name as its copy in %HOMEPATH%. The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Additional copies of the worm with the name "<random letters>.scr" may also be created. In addition, another copy of the worm is created using "<random letters>x.exe", with the following shortcut files referencing it:

  • ..lnk
  • ...lnk
  • Documents.lnk
  • Music.lnk
  • New Folder.lnk
  • Passwords.lnk
  • Pictures.lnk
  • Video.lnk
  • The worm exploits the LNK vulnerability by creating the following files:
  • z<two random characters>.lnk - detected as Exploit:Win32/CplLnk.B
  • z<two random characters>.dll
  • x.exe - detected as Win32/Vobfus.P
  • The dropped DLL will launch x.exe on vulnerable systems. Payload Modifies computer settings Win32/Vobfus.P marks its executables as hidden files, and periodically overwrites the following registry value to ensure the hidden files are not displayed in Windows Explorer: Adds value: "ShowSuperHidden" with data: "0" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Terminates processes and threads Win32/Vobfus.P protects its processes by modifying two Windows system APIs (TerminateProcess and TerminateThread). Any processes attempting to terminate the worm process will be crashed. Downloads and executes arbitrary files Win32/Vobfus.P tries to download additional files from a remote server via TCP port 8000. Some of the sites it has observed to be downloading files from are:
  • theimageparlour.net
  • thepicturehut.net


  • Analysis by Shali Hsieh

    Last update 31 July 2010

     

    TOP