Home / malwarePDF  

Worm:Win32/Vobfus.gen!Q


First posted on 27 January 2012.
Source: Microsoft

Aliases :

Worm:Win32/Vobfus.gen!Q is also known as Win32/Pronny.AA (ESET), Trojan.Win32.Diple.edfh (Kaspersky), VBObfus.cl (McAfee), WORM_VOBFUS.MJSM (Trend Micro).

Explanation :

Worm:Win32/Vobfus.gen!Q is the generic detection for obfuscated Visual Basic (VB)-compiled malware that spread via removable drives and download additional malware from remote servers.


Top

Worm:Win32/Vobfus.gen!Q is the generic detection for obfuscated Visual Basic (VB)-compiled malware that spread via removable drives and download additional malware from remote servers.



Installation

Worm:Win32/Vobfus.gen!Q may arrive on the affected computer bundled with other malware. In the wild, we have observed it being distributed with variants of the following:

Win32/Sirefef
Win32/Hiloti
Win32/Alureon
Win32/Renos
Win32/Virut
Win32/Cycbot
Win32/Fareit

Upon execution, Worm:Win32/Vobfus.gen!Q creates a mutex named "A" such that only a single copy of its process is executing in the computer at any given time. It then drops a copy of itself in the %USERPROFILE% folder using a random file name, for example:

%USERPROFILE%\veatai.exe

The registry is modified to run the worm at each Windows start.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random value>
With data: "%USERPROFILE%\<malware file name> /<random parameter>"

For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "qeefeof"
With data: "%USERPROFILE%\veatai.exe /u"

Spreads via...

Network and removable drives
Worm:Win32/Vobfus.gen!Q copies itself to the root folder of all available network and removable drives with the file name "rcx<hexadecimal number>.tmp". It then renames this file to any of the following:

  • ..exe
  • ...exe
  • subst.exe
  • secret.exe
  • sexy.exe
  • porn.exe
  • passwords.exe
  • <random letters>.exe


The worm writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.



Payload

Modifies Windows settings
Worm:Win32/Vobfus.gen!Q modifies the following registry entries to prevent the user from changing how hidden files and folders are displayed in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Worm:Win32/Vobfus.gen!Q disables Windows Automatic Updates of the affected computer by modifying registry data.

In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Sets value: "NoAutoUpdate"
With data: "1"

Drops and downloads arbitrary files
Worm:Win32/Vobfus.gen!Q also tries to contact to the remote host "ns1.player<removed>32.com" using TCP port 8000, in order to download additional malware into the computer.

These dropped and/or downloaded malware are commonly detected as any of the following:

  • Win32/Sirefef
  • Win32/Hiloti
  • Win32/Alureon
  • Win32/Renos
  • Win32/Virut
  • Win32/Cycbot
  • Win32/Fareit




Analysis by Edgardo Diaz

Last update 27 January 2012

 

TOP