Follow:

You have been re-routed to the Worm:Win32/Vobfus.C write up because Worm%253aWin32%252fVobfus.C has been renamed to Worm:Win32/Vobfus.C
 

Worm:Win32/Vobfus.C


Microsoft security software detects and removes this threat.
 
This threat can change your Windows setting and download other malware.
 
It spreads through infected removable drives, such as USB flash drives.


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other hidden malware.

 

Be careful when sharing files

 

Windows has a feature that lets you share files and folders on a network or shared PC. This feature is sometimes abused by malware to spread to other PCs within the network.

 

You can get more information and tips on how to share files safely from these pages:

 

 

You should turn off file sharing until you make sure that all infected PCs have been cleaned of any malware.

 

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
When run, the worm drops a copy of itself into the logged on user's profile directory as a random six character string as in this example:
 
%USERPROFILE%\viuoqu.exe
 
The registry is modified to run the dropped copy at each Windows start, as in this example:
 
Adds value: "viuoqu"
With data: "%USERPROFILE%\viuoqu.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads Via…
Removable drives
Worm:Win32/Vobfus.C enumerates removable drives and drops copies of the worm executable (for example, "viuoqu.exe" and "viuoqu.scr") under the root folder of each removable drive:
 
<drive:>\viuoqu.exe
<drive:>\viuoqu.scr
 
The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy with ".exe" file extension. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically.
 
Remote drives
Worm:Win32/Vobfus.C drops copies of the worm executable (for example, "viuoqu.exe" and "viuoqu.scr") under the root folder of each writeable remote drive:
 
<drive:>\viuoqu.exe
<drive:>\viuoqu.scr
 
The worm also creates shortcuts under the root directory on remote drives that have the same name as existing folders in the root directory, f or example:
 
<Remote drive:>\new folder.lnk
<Remote drive:>\passwords.lnk
<Remote drive:>\documents.lnk
<Remote drive:>\pictures.lnk
<Remote drive:>\music.lnk
<Remote drive:>\video.lnk
 
The shortcut links to the dropped worm executable with ".scr" file extension. Once the users opens the link, the worm copy will execute.
Payload
Modifies Windows settings
The worm will disable viewing of Windows system files with attributes "hidden" by modifying the following registry data:
 
Modifies value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\Currentersion\Explorer\Advanced
 
Downloads other malware
The worm also attempts connecting to a remote host "ns<one random number>.theimageparlour.net" using TCP port 8000 to download further malicious binaries.
 
Analysis by Lena Lin

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:

    %USERPROFILE%\viuoqu.exe
    <drive:>\viuoqu.exe
    <drive:>\viuoqu.scr
    <drive:>\autorun.inf
    <Remote drive:>\viuoqu.exe
    <Remote drive:>\viuoqu.scr
    <Remote drive:>\new folder.lnk
    <Remote drive:>\passwords.lnk
    <Remote drive:>\documents.lnk
    <Remote drive:>\pictures.lnk
    <Remote drive:>\music.lnk
    <Remote drive:>\video.lnk

Prevention


Alert level: Severe
First detected by definition: 1.65.778.0
Latest detected by definition: 1.191.758.0 and higher
First detected on: Sep 15, 2009
This entry was first published on: Nov 05, 2009
This entry was updated on: Nov 05, 2014

This threat is also detected as:
  • W32/Vobfus.A (Command)
  • Trojan.VB.Chinky.C (BitDefender)
  • Trojan.Agent-122844 (Clam AV)
  • Win32/AutoRun.VB.GA (ESET)
  • Worm.Win32.VBNA.idv (Kaspersky)
  • W32/VBNA.worm (McAfee)
  • VBWorm.XPH (Norman)
  • W32/Vobfus.gen.worm (Panda)
  • W32/SillyFDC-DV (Sophos)