Home / malwarePDF  

Worm:Win32/Vobfus.ABA


First posted on 12 September 2014.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Vobfus.ABA.

Explanation :

Threat behavior

Installation

Worm:Win32/Vobfus.ABA copies itself to the following locations:

  • c:\documents and settings\administrator\piqieog\1.exe
  • c:\documents and settings\administrator\piqieog\2.exe
  • c:\documents and settings\administrator\piqieog\3.exe
  • c:\documents and settings\administrator\piqieog\4.exe
  • c:\documents and settings\administrator\piqieog\goeiqip.exe
The malware creates the following files on your PC:
  • \\127.0.0.1\pipe\srvsvc
  • c:\documents and settings\administrator\start menu\programs\startup\goeiqip.lnk


Spreads via€¦

Removable and network drives
Worm:Win32/Vobfus.ABA can create the following files on targeted drives:

  • :\favourites.lnk
  • :\goeiqip.exe
  • :\love you.exe
  • :\money.exe
  • :\movies.lnk
  • :\music.lnk
  • :\nude.exe
  • :\passwords.lnk
  • :\pictures.lnk
  • :\private.lnk
  • :\search.lnk
  • :\secret folder.lnk
  • :\sex.exe
  • :\subst.exe

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Changes system security settings

Worm:Win32/Vobfus.ABA disables the Least Privileged User Account (LUA), also known as the ?administrator in Admin Approval Mode? user type. It does this by making the following registry modifications:

Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Note: Disabling the LUA allows all applications to run by default with all administrative privileges. You won't be asked for explicit consent. Contacts remote host
The malware might contact a remote host at ns1.timechk1.com using port 7006. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 b3db303dfecc289359ea9ec6a92576313c06e164.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

\\127.0.0.1\pipe\srvsvc
c:\documents and settings\administrator\piqieog\1.exe
c:\documents and settings\administrator\piqieog\2.exe
c:\documents and settings\administrator\piqieog\3.exe
c:\documents and settings\administrator\piqieog\4.exe
c:\documents and settings\administrator\piqieog\goeiqip.exe
c:\documents and settings\administrator\start menu\programs\startup\goeiqip.lnk
  • You see these entries or keys in your registry:
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Last update 12 September 2014

 

TOP