Home / malwarePDF  

Worm:Win32/Vobfus.S


First posted on 20 July 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Vobfus.S is also known as Worm/VB.12.O (AVG), Worm/VBNA.aiuk.2 (Avira), Win32/Vobfus!generic (CA), Worm.Win32.VBNA.aiuk (Kaspersky), Downloader-CJX.gen.a (McAfee), Mal/AutoRun-P (Sophos), W32.Changeup (Symantec), WORM_VBNA.SME (Trend Micro).

Explanation :

Worm:Win32/Vobfus.S is a detection of obfuscated Visual Basic (VB) complied malware that spreads via removable drives and downloads additional malware from remote servers.
Top

Worm:Win32/Vobfus.S is a detection of obfuscated Visual Basic (VB) complied malware that spreads via removable drives and downloads additional malware from remote servers. Installation Worm:Win32/Vobfus.S drops a file with 'hidden', 'system' and 'read-only' attributes, with a random name under <%UserProfile%>; for example, houtor.exe. This file is detected as Worm:Win32/Vobfus.S. Worm:Win32/Vobfus.S modifies the following registry entries to run the dropped file on Windows start: Adds value: "<random name>" With data: "%USERPROFILE%\<random name>" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Worm:Win32/Vobfus.S modifies following registry entries to hide the 'hidden' system attribute file in Windows Explorer: Adds value: "ShowSuperHidden" with data: "0" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Spreads via€¦ Removable drives Worm:Win32/Vobfus.S spreads itself by dropping an "autorun.inf" and a copy of itself to the root of all removable drives. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. The copy of itself can be either .exe or .scr; the file name is same as the name the worm uses when it installs under <%UserProfile%>. Worm:Win32/Vobfus.S also drops shortcut links to the root of all removable drives, that point to the dropped executable files. The worm has been observed using the following link names:

  • new folder.lnk
  • passwors.lnk
  • documents.lnk
  • pictures.lnk
  • music.lnk
  • video.lnk
  • subst.lnk
  • ..lnk
  • ...lnk
  • Payload Terminates processes and threads Worm:Win32/Vobfus.S prevents security software from terminating its processes by patching two Windows system APIs (TerminateProcess and TerminateThread). Downloads and executes arbitrary files Worm:Win32/Vobfus.S tries to download additional files from a remote server under <%UserProfile%>; we have observed the worm contacting the following domains:
  • ns2.thepicturehut.net
  • ns4.thepicturehut.net
  • We have observed the worm downloading files detected as Trojan:Win32/Hiloti and Trojan:Win32/Alureon.CT.

    Analysis by Shawn Wang

    Last update 20 July 2010

     

    TOP