Home / malwarePDF  

Worm:Win32/Vobfus.gen!T


First posted on 29 March 2012.
Source: Microsoft

Aliases :

Worm:Win32/Vobfus.gen!T is also known as Trojan/Win32.Menti (AhnLab), W32/Vobfus.AD.gen!Eldorado (Command), W32/Vobfus.BJS (Norman), Trojan.VBGent.Gen.995 (VirusBuster), Trojan horse SHeur4.PRZ (AVG), TR/Chinky.79949 (Avira), Trojan.VbCrypt.81 (Dr.Web), Win32/AutoRun.VB.ARU worm (ESET), Worm.Win32.Vobfus (Ikarus), Worm.Win32.WBNA.bvr (Kaspersky), VBObfus.df (McAfee), Mal/ZboCheMan-A (Sophos), W32.Changeup (Symantec), WORM_VOBFUS.SMAB (Trend Micro).

Explanation :

Worm:Win32/Vobfus.gen!T is a generic detection for obfuscated Visual Basic (VB)-compiled malware that spreads via removable drives, and downloads additional malware from remote servers.


Top

Worm:Win32/Vobfus.gen!T is a generic detection for obfuscated Visual Basic (VB)-compiled malware that spreads via removable drives, and downloads additional malware from remote servers.



Installation

Upon execution, Worm:Win32/Vobfus.gen!T creates a mutex named "A" to make sure that only a single copy of its process is executing in the computer at any given time.

It then drops a copy of itself in the %USERPROFILE% folder using a random file name, for example:

%USERPROFILE%\peufuel.exe

It then creates the following registry entry so that this copy is executed at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random value>
With data: "%USERPROFILE%\<malware file name> /<random parameter>"

For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "peufuel"
With data: "%USERPROFILE%\peufuel.exe /i"

Spreads via...

Network and removable drives

Worm:Win32/Vobfus.gen!T copies itself to the root folder of all available network and removable drives with the file name "rcx<hexadecimal number>.tmp". It then renames this file to any of the following:

  • passwords.exe
  • porn.exe
  • secret.exe
  • sexy.exe
  • subst.exe


It writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.



Payload

Modifies computer settings

Worm:Win32/Vobfus.gen!T modifies the following registry entries to prevent the user from changing how hidden files and folders are displayed in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

The worm also modifies the following registry entry to disable the infected machine's Automatic Updates feature:

In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Sets value: "NoAutoUpdate"
With data: "1"

Downloads arbitrary files

Worm:Win32/Vobfus.gen!T also tries to contact the following remote host using port 8000 in order to download additional malware into the computer.:

  • ns1.spansearcher.org
  • ns1.spansearcher.net
  • ns1.player1352.com
  • ns1.player1352.net


These dropped and/or downloaded malware are commonly detected as any of the following:

  • Win32/Alureon
  • Win32/Cycbot
  • Win32/Fareit
  • Win32/Hiloti
  • Win32/Renos
  • Win32/Sirefef
  • Win32/Virut




Analysis by Edgardo Diaz

Last update 29 March 2012

 

TOP

Malware :

Family: