Follow:

You have been re-routed to the Worm:Win32/Vobfus write up because Worm%3aWin32%2fVobfus has been renamed to Worm:Win32/Vobfus
 

Worm:Win32/Vobfus


Microsoft security software detects and removes this threat.

Worm:Win32/Vobfus is a family of worms that spread via removable drives, and downloads additional malware from remote servers; these obfuscated worms are written in Visual Basic (VB).

Because Vobfus is often downloaded by other malware and is known to download other malware, it's possible that, if variants of Vobfus are detected on your PC, you may be infected with any number of different malware. To detect and remove this threat and other malware that may be installed on your PC, run a full-system scan with an appropriate, up-to-date, security solution.



What to do now

The following Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Additional remediation instructions for Vobfus:

This threat may make lasting changes to a PC's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected PC to its pre-infected state, please see the following articles:

Threat behavior

Worm:Win32/Vobfus is a family of worms that spread via removable drives, and downloads additional malware from remote servers; these obfuscated worms are written in Visual Basic (VB).

Vobfus is a known co-infector; it is often downloaded by other malware, and also downloads other malware itself. Currently, we are seeing detections from the following malware families on PCs where we detect Vobfus:

Installation

In the wild, we have observed variants of Vobfus being downloaded by variants of Win32/Beebone.

When it runs, Win32/Vobfus creates mutex named "A" to mark its infection, and make sure that only a single copy of its process is running on your PC at any one time.

It then drops a copy of itself in the "C:\Documents and Settings\<user>" folder using a random file name, for example:

C:\documents and settings\Administrator\zkyip.exe.exe

It then creates the following registry entry so it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random>"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zkyip"
With data: "C\documents and settings\administrator\zkyip.exe /f"

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

For example:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\administrator\zkyip.exe /t"

Spreads via...

Network and removable drives

The worm copies itself to the root directory of the network and removable drives using "rcx<hexadecimal number>.tmp", then renames this TMP file to any of the following:

  • passwords.exe
  • porn.exe
  • secret.exe
  • sexy.exe
  • subst.exe
  • system.exe

The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. If you access this drive from a PC supporting the Autorun feature, the worm is launched automatically.

Payload

Changes PC settings

Worm:Win32/Vobfus changes the following registry entries to prevent you from changing how hidden files and folders are displayed in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"

Drops, downloads and runs other malware

Worm:Win32/Vobfus tries to connect to a remote host to receive encrypted commands that, when decrypted, specify the following:

<URL to download><Save as file name>

The remote host's address is hardcoded in the variant's binary, and varies as the malware author releases new binaries. The address may be a full domain (for example, ns1.player1532) or assembled as <domain string><number>.<domain extension>, for example:

  • ns1.timedate1.org
  • ns1.timedate3.com

Common domain strings used by Worm:Win32/Vobfus include:

  • codeconline.net
  • imagehut2.cn
  • msdip.com
  • ns1.backdate1.com
  • ns1.backupdate1.com
  • ns1.cpuchecks
  • ns1.datetoday1.org
  • ns1.helpcheck1
  • ns1.helpchecks
  • ns1.helpchecks.net
  • ns1.helpupdated
  • ns1.helpupdated.com
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdater
  • ns1.helpupdater.net
  • ns1.mysearchhere.net
  • ns1.searchhereonline.net
  • ns1.theimageparlour.net
  • ns1.thepicturehut.net
  • ns1.timedate3.com
  • ns2.helpchecks.net
  • ns2.helpupdated.com
  • ns2.helpupdated.org
  • ns2.helpupdatek.at
  • ns2.helpupdater.net
  • ns2.mysearchhere.net
  • ns2.searchhereonline.net
  • ns2.theimageparlour.net
  • ns2.thepicturehut.net
  • ns3.helpchecks.net
  • ns3.helpupdated.com
  • ns3.helpupdated.org
  • ns3.helpupdatek.at
  • ns3.helpupdater.net
  • ns3.mysearchhere.net
  • ns3.searchhereonline.net
  • ns3.theimageparlour.net
  • ns3.thepicturehut.net
  • ns4.helpchecks.net
  • ns4.helpupdated.com
  • ns4.helpupdated.org
  • ns4.helpupdatek.at
  • ns4.helpupdater.net
  • ns4.mysearchhere.net
  • ns4.searchhereonline.net
  • ns4.theimageparlour.net
  • ns4.thepicturehut.net
  • peazoom.com
  • thethoughtzone.net
  • usezoom.com
  • vrera.com
  • zoomslovenia.com

The worm uses the following domain extensions (note that it will attempt to use each domain extension as ordered below, moving to the next one on the list if it cannot connect):

  • .com
  • .net
  • .org
  • .biz
  • .info
  • .by

The worm contacts these remote hosts using any of the following TCP ports:

  • 2002
  • 7001
  • 7002
  • 7003
  • 7004
  • 7005
  • 8000
  • 8003
  • 9002
  • 9003
  • 9004

We have observed these hosts resolving to the following IP addresses:

  • 188.65.<removed>.13
  • 192.162.<removed>.73
  • 46.28.<removed>.32
  • 60.172.<removed>.143
  • 60.172.<removed>.144
  • 60.173.<removed>.9
  • 78.46.<removed>.198
  • 78.47.<removed>.165
  • 94.250.<removed>.83

The worm downloads files from the remote host into the %USERPROFILE% folder, using a random file name that it acquired from the decrypted commands, for example neode.exe.

Older variants have been observed dropping and/or downloading malware belonging to the following families:

Newer variants, however, have been observed downloading variants from the TrojanDownloader:Win32/Beebone family.

Analysis by Edgardo Diaz Jr & Patrick Estavillo


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry changes:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "<random>"
    With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

    For example:

    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Sets value: "Load"
    With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"

Prevention


Alert level: Severe
First detected by definition: 1.77.268.0
Latest detected by definition: 1.185.300.0 and higher
First detected on: Mar 03, 2010
This entry was first published on: Mar 03, 2010
This entry was updated on: Oct 07, 2013

This threat is also detected as:
No known aliases