Follow:

 

Win32/Vobfus


Microsoft security software detects and removes this family of threats.

This family of worms can download other malware onto your PC, including:

Vobfus worms can be downloaded by other malware or spread via removable drives, such as USB flash drives.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Additional remediation instructions for Vobfus:

This threat may make lasting changes to your PC's configuration that won't be restored by detection and removal. There is more information about returning your PC to its pre-infected state in the following articles:

Viewing hidden and/or system files:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Vobfus is a known co-infector; it is often downloaded by other malware, and also downloads other malware itself. Currently, we are seeing detections from the following malware families on PCs where we detect Vobfus:

Installation

In the wild, we have observed variants of Vobfus being downloaded by variants of Win32/Beebone.

When it runs, Win32/Vobfus creates mutex named "A" to mark its infection, and make sure that only a single copy of its process is running on your PC at any one time.

It then drops a copy of itself in the "C:\Documents and Settings\<user>" folder using a random file name, for example:

C:\documents and settings\Administrator\zkyip.exe.exe

It then creates the following registry entry so it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random>"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zkyip"
With data: "C\documents and settings\administrator\zkyip.exe /f"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

For example:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\administrator\zkyip.exe /t"

Spreads via...

Network and removable drives

The worm copies itself to the root directory of the network and removable drives using "rcx<hexadecimal number>.tmp", then renames this TMP file to any of the following:

  • passwords.exe
  • porn.exe
  • secret.exe
  • sexy.exe
  • subst.exe
  • system.exe

The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. If you access this drive from a PC supporting the Autorun feature, the worm is launched automatically.

Payload

Changes PC settings

Worm:Win32/Vobfus changes the following registry entries to prevent you from changing how hidden files and folders are displayed in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Downloads and runs other malware

Worm:Win32/Vobfus tries to connect to a remote host to receive encrypted commands that, when decrypted, specify the following:

<URL to download><Save as file name>

The remote host's address is hardcoded in the variant's binary, and varies as the malware author releases new binaries. The address may be a full domain (for example, ns1.player1532) or assembled as <domain string><number>.<domain extension>, for example:

  • ns1.timedate1.org
  • ns1.timedate3.com

Common domain strings used by Worm:Win32/Vobfus include:

  • codeconline.net
  • imagehut2.cn
  • msdip.com
  • ns1.backdate1.com
  • ns1.backupdate1.com
  • ns1.cpuchecks
  • ns1.datetoday1.org
  • ns1.helpcheck1
  • ns1.helpchecks
  • ns1.helpchecks.net
  • ns1.helpupdated
  • ns1.helpupdated.com
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdater
  • ns1.helpupdater.net
  • ns1.mysearchhere.net
  • ns1.searchhereonline.net
  • ns1.theimageparlour.net
  • ns1.thepicturehut.net
  • ns1.timedate3.com
  • ns2.helpchecks.net
  • ns2.helpupdated.com
  • ns2.helpupdated.org
  • ns2.helpupdatek.at
  • ns2.helpupdater.net
  • ns2.mysearchhere.net
  • ns2.searchhereonline.net
  • ns2.theimageparlour.net
  • ns2.thepicturehut.net
  • ns3.helpchecks.net
  • ns3.helpupdated.com
  • ns3.helpupdated.org
  • ns3.helpupdatek.at
  • ns3.helpupdater.net
  • ns3.mysearchhere.net
  • ns3.searchhereonline.net
  • ns3.theimageparlour.net
  • ns3.thepicturehut.net
  • ns4.helpchecks.net
  • ns4.helpupdated.com
  • ns4.helpupdated.org
  • ns4.helpupdatek.at
  • ns4.helpupdater.net
  • ns4.mysearchhere.net
  • ns4.searchhereonline.net
  • ns4.theimageparlour.net
  • ns4.thepicturehut.net
  • peazoom.com
  • thethoughtzone.net
  • usezoom.com
  • vrera.com
  • zoomslovenia.com

The worm uses the following domain extensions (note that it will attempt to use each domain extension as ordered below, moving to the next one on the list if it cannot connect):

  • .com
  • .net
  • .org
  • .biz
  • .info
  • .by

The worm contacts these remote hosts using any of the following TCP ports:

  • 2002
  • 7001
  • 7002
  • 7003
  • 7004
  • 7005
  • 8000
  • 8003
  • 9002
  • 9003
  • 9004

We have observed these hosts resolving to the following IP addresses:

  • 188.65.<removed>.13
  • 192.162.<removed>.73
  • 46.28.<removed>.32
  • 60.172.<removed>.143
  • 60.172.<removed>.144
  • 60.173.<removed>.9
  • 78.46.<removed>.198
  • 78.47.<removed>.165
  • 94.250.<removed>.83

The worm downloads files from the remote host into the %USERPROFILE% folder, using a random file name that it acquired from the decrypted commands, for example neode.exe.

Older variants have been observed dropping and/or downloading malware belonging to the following families:

Newer variants, however, have been observed downloading variants from the TrojanDownloader:Win32/Beebone family.

Analysis by Edgardo Diaz Jr & Patrick Estavillo


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry changes:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<random>"
    With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

    For example:

    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Sets value: "Load"
    With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

Prevention


Alert level: Severe
This entry was first published on: Mar 03, 2010
This entry was updated on: May 13, 2014

This threat is also detected as:
No known aliases