Home / malwarePDF  

Worm:Win32/Vobfus.E


First posted on 22 February 2019.
Source: Microsoft

Aliases :

Worm:Win32/Vobfus.E is also known as Worm.Generic.80542, Win32/SillyAutorun.BLR, Worm.Win32.VBNA.c, W32/Autorun-ARZ.

Explanation :

Worm:Win32/Vobfus.E is a worm that spreads to removable drives, changes Windows settings and may download other malware. This worm is installed by Worm:Win32/Vobfus.A. InstallationWorm:Win32/Vobfus.E may be present as the following:  %USERPROFILE%\%USERNAME%.exe (e.g. C:Documents and SettingsAdministratorAdministrator.exe) The registry is modified to run the dropped worm copy at each Windows start. Adds value: "%USERNAME%" (e.g. "Administrator")With data: "%USERPROFILE%\%USERNAME%.exe"To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun  Spreads Via… Removable drivesWhen Worm:Win32/Vobfus.E runs, it enumerates removable drives and drops a copy as the following:  \%USERNAME%.exe (e.g. F:Administrator.exe) The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically.  Analysis by Hong Jia

Last update 22 February 2019

 

TOP