Home / malwarePDF  

Worm:Win32/Vobfus.PE


First posted on 10 April 2013.
Source: Microsoft

Aliases :

Worm:Win32/Vobfus.PE is also known as Worm/Win32.Vobfus (AhnLab), W32/Vobfus.GYSS (Norman), Win32.HLLW.Autoruner1.34772 (Dr.Web), Win32/Pronny.KV worm (ESET), Worm.Win32.Vobfus (Ikarus), W32/Autorun.worm.aaeh!heur (McAfee), WORM_VOBFUS.SMMC (Trend Micro).

Explanation :



Installation

Upon execution, Worm:Win32/Vobfus.PE creates a mutex named "A" to make sure that only one instance of its copy is running in the computer at any given time.

It copies itself in the %USERPROFILE% folder using a random file name, for example:

%USERPROFILE%\boiuzoq.exe

It creates the following registry entry so that this copy is run every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "%USERPROFILE%\<malware file name> /<random parameter>"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "boiuzoq"
With data: "%USERPROFILE%\boiuzoq.exe /h"

Spreads via...

Network and removable drives

It drops copies of itself in the root folder of all available network and removable drives. It also uses a random file name. Some of the file names it's used are:

  • passwords.exe
  • porn.exe
  • secret.exe
  • sexy.exe
  • subst.exe


It writes an Autorun configuration file named "autorun.inf", which points to the worm copy. If the drive is accessed from a computer that supports the Autorun feature, the worm is launched automatically.



Payload

changes computer settings

It changes the following registry entries to prevent your computer from showing hidden files and folders in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

It also changes the following registry entries to disable Automatic Updates on your computer:

In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Sets value: "NoAutoUpdate"
With data: "1">

Downloads arbitrary files

It tries to contact these servers using a TCP port such as 7005 to download arbitrary files:

ns1.datetoday1.org



Analysis by Wei Li

Last update 10 April 2013

 

TOP

Malware :

Family: