Worm:Win32/Vobfus.gen!B is a generic detection for obfuscated Visual Basic (VB) compiled malware that spreads via removable drives and downloads additional malware from remote servers.
Installation
Worm:Win32/Vobfus.gen!B drops a copy of itself into the logged on user's profile directory as a random six character string, for example, "xealip.exe".
Worm:Win32/Vobfus.gen!B modifies the registry to run the dropped copy at each Windows start as in the following example:
Adds value: "xealip"
With data: "%USERPROFILE%\xealip.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via…
Removable drives
Worm:Win32/Vobfus.gen!B
enumerates removable drives and drops copies of the worm executable (for example, "xealip.exe" and "viuoqu.scr") under the root folder of each removable drive:
<drive:>\xealip.exe
<drive:>\viuoqu.scr
The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy with ".exe" file extension. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically.
Worm:Win32/Vobfus.gen!B may also drop the following files on the removable drive:
z
<two random characters>.lnk
z
<two random characters>.dll
Remote drives
Worm:Win32/Vobfus.gen!B drops copies of the worm executable (for example, "xealip.exe" and "xealipx.exe") under the root folder of each writeable remote drive:
<drive:>\xealip.exe
<drive:>\xealipx.exe
The worm also creates shortcuts under the root directory on remote drives that have the same name as existing folders in the root directory, for example:
-
new folder.lnk
-
passwords.lnk
-
documents.lnk
-
pictures.lnk
-
music.lnk
-
video.lnk
-
subst.lnk
-
..lnk
-
...lnk
The shortcut links to the dropped worm executable with ".exe" file extension. Once the users opens the link, the worm copy will execute.
Payload
Modifies computer settings
Worm:Win32/Vobfus.gen!B modifies the following registry entries to prevent the user from changing how hidden files and folders are displayed in Windows Explorer:
Adds value: "ShowSuperHidden"
with data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Terminates processes and threads
Worm:Win32/Vobfus.gen!B prevents security software from terminating its processes by patching two Windows system APIs (TerminateProcess and TerminateThread).
Downloads and executes arbitrary files
Worm:Win32/Vobfus.gen!B tries to download additional files from a remote server under %UserProfile%; we have observed the worm contacting the following domain using TCP 8000:
Analysis by Vincent Tiu