Home / malwarePDF  

Worm:Win32/Vobfus.gen!O


First posted on 04 January 2012.
Source: Microsoft

Aliases :

Worm:Win32/Vobfus.gen!O is also known as Worm.Win32.Vobfus (Ikarus), Trojan.Win32.Buzus.jvch (Kaspersky), BKDR_CYCBOT.FLR (Trend Micro), Trojan/Win32.Diple (AhnLab).

Explanation :

Worm:Win32/Vobfus.gen!O is an obfuscated worm created in Visual Basic (VB), that spreads via removable drives and downloads additional malware from remote servers.


Top

Worm:Win32/Vobfus.gen!O is an obfuscated worm created in Visual Basic (VB), that spreads via removable drives and downloads additional malware from remote servers.



Installation

The worm may arrive on the affected computer bundled with other malware. In the wild, we have observed the being distributed with variants of the following:

  • Win32/Hiloti
  • Win32/Alureon
  • Win32/Renos
  • Win32/Virut
  • Win32/Cycbot
  • Win32/Fareit


Upon execution, Worm:Win32/Vobfus.gen!O creates a mutex named "A" to ensure that only a single copy of its process is running on the computer at any given time.

It then drops a copy of itself in the %USERPROFILE% folder using a random file name, for example:

  • %USERPROFILE%\mieetas.exe


It then creates the following registry entry so that this copy is executed at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random value>
With data: "%USERPROFILE%\<malware file name> /<random parameter>"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "mieetas"
With data: "%USERPROFILE%\mieetas.exe /j"

Spreads via...

Network and removable drives

In the wild, we have observed the worm using one of two methods to spread; it may either:

  • Copy itself to the root folder of all available network and removable drives as "rcx<hexadecimal number>.tmp", then rename this file to any of the following:
    • subst.exe
    • secret.exe
    • sexy.exe
    • porn.exe
    • passwords.exe
  • Copy itself to the root folder of all available network and removable drives as "<random letters>.exe", "<random letters>x.exe", and / or "<random letters>.scr" (for example, saeas.exe and / or saeasx.exe) with the following shortcut files referencing it:
    • ..lnk
    • ...lnk
    • Documents.lnk
    • Music.lnk
    • New Folder.lnk
    • Passwords.lnk
    • Pictures.lnk
    • Subst.lnk
    • Video.lnk


It then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.



Payload

Modifies computer settings

Worm:Win32/Vobfus.gen!O modifies the following registry entries to prevent the user from changing how hidden files and folders are displayed in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Downloads and installs arbitrary files

Worm:Win32/Vobfus.gen!O drops additional malicious files in the %USERPROFILE% folder using a random file name, such as %USERPROFILE%\aehost.exe.

The worm also tries to contact a remote host at "ns1.player<removed>32.com" using TCP port 8000 or 8003, in order to download additional malware onto the computer.

In an effort to evade behavioral monitoring systems and programs, some variants may attempt to connect to 255.255.255.255 port 8000 instead of the previously mentioned remote host.



Analysis by Edgardo A. Diaz Jr

Last update 04 January 2012

 

TOP

Malware :

Family: