Follow:

 

Win32/Vobfus


Microsoft security software detects and removes this family of threats.

This family of worms can download other malware onto your PC, including:

Vobfus worms can be downloaded by other malware or spread via removable drives, such as USB flash drives.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Additional remediation instructions for Vobfus:

This threat may make lasting changes to a PC's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected PC to its pre-infected state, please see the following articles:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Vobfus is often downloaded by other malware, and also downloads other malware itself, including:

Installation

In the wild, we have observed variants of Vobfus being downloaded by variants of Win32/Beebone.

This threat creates a mutex named "A" to mark its infection, and to make sure that only a single copy of its process is running on your PC at any one time.

It then drops a copy of itself in the "C:\Documents and Settings\<user>" folder using a random file name, for example:

C:\documents and settings\Administrator\zkyip.exe.exe

It creates the following registry entry so it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random>"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zkyip"
With data: "C\documents and settings\administrator\zkyip.exe /f"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

For example:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\administrator\zkyip.exe /t"

Spreads via...

Network and removable drives

The worm copies itself to the root directory of network and removable drives using "rcx<hexadecimal number>.tmp", then renames this TMP file to any of the following:

  • passwords.exe
  • porn.exe
  • secret.exe
  • sexy.exe
  • subst.exe
  • system.exe

The worm writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. If you access this drive from a PC supporting the Autorun feature, the worm is launched automatically.

Payload

Changes PC settings

Worm:Win32/Vobfus changes the following registry entries to prevent you from changing how hidden files and folders are displayed in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Downloads and runs other malware

Worm:Win32/Vobfus tries to connect to a remote host to receive encrypted commands that, when decrypted, specify the following:

<URL to download><Save as file name>

The remote host's address is hardcoded in the variant's binary, and varies as the malware author releases new binaries. The address may be a full domain (for example, ns1.player1532) or assembled as <domain string><number>.<domain extension>, for example:

  • ns1.timedate1.org
  • ns1.timedate3.com

Common domain strings used by Worm:Win32/Vobfus include:

  • codeconline.net
  • imagehut2.cn
  • msdip.com
  • ns1.backdate1.com
  • ns1.backupdate1.com
  • ns1.cpuchecks
  • ns1.datetoday1.org
  • ns1.helpcheck1
  • ns1.helpchecks
  • ns1.helpchecks.net
  • ns1.helpupdated
  • ns1.helpupdated.com
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdater
  • ns1.helpupdater.net
  • ns1.mysearchhere.net
  • ns1.searchhereonline.net
  • ns1.theimageparlour.net
  • ns1.thepicturehut.net
  • ns1.timedate3.com
  • ns2.helpchecks.net
  • ns2.helpupdated.com
  • ns2.helpupdated.org
  • ns2.helpupdatek.at
  • ns2.helpupdater.net
  • ns2.mysearchhere.net
  • ns2.searchhereonline.net
  • ns2.theimageparlour.net
  • ns2.thepicturehut.net
  • ns3.helpchecks.net
  • ns3.helpupdated.com
  • ns3.helpupdated.org
  • ns3.helpupdatek.at
  • ns3.helpupdater.net
  • ns3.mysearchhere.net
  • ns3.searchhereonline.net
  • ns3.theimageparlour.net
  • ns3.thepicturehut.net
  • ns4.helpchecks.net
  • ns4.helpupdated.com
  • ns4.helpupdated.org
  • ns4.helpupdatek.at
  • ns4.helpupdater.net
  • ns4.mysearchhere.net
  • ns4.searchhereonline.net
  • ns4.theimageparlour.net
  • ns4.thepicturehut.net
  • peazoom.com
  • thethoughtzone.net
  • usezoom.com
  • vrera.com
  • zoomslovenia.com

The worm uses the following domain extensions (note that it will attempt to use each domain extension as ordered below, moving to the next one on the list if it cannot connect):

  • .com
  • .net
  • .org
  • .biz
  • .info
  • .by

The worm contacts these remote hosts using any of the following TCP ports:

  • 2002
  • 7001
  • 7002
  • 7003
  • 7004
  • 7005
  • 8000
  • 8003
  • 9002
  • 9003
  • 9004

We have observed these hosts resolving to the following IP addresses:

  • 188.65.<removed>.13
  • 192.162.<removed>.73
  • 46.28.<removed>.32
  • 60.172.<removed>.143
  • 60.172.<removed>.144
  • 60.173.<removed>.9
  • 78.46.<removed>.198
  • 78.47.<removed>.165
  • 94.250.<removed>.83

The worm downloads files from the remote host into the %USERPROFILE% folder, using a random file name that it acquired from the decrypted commands, for example neode.exe.

Older variants have been observed dropping and/or downloading malware belonging to the following families:

Newer variants, however, have been observed downloading variants from the TrojanDownloader:Win32/Beebone family.

Analysis by Edgardo Diaz Jr & Patrick Estavillo


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry changes:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<random>"
    With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

    For example:

    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Sets value: "Load"
    With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

Prevention


Alert level: Severe
This entry was first published on: Mar 03, 2010
This entry was updated on: Oct 03, 2014

This threat is also detected as:
No known aliases