Follow:

You have been re-routed to the Worm:Win32/Vobfus.C write up because Worm%3aWin32%2fVobfus.C has been renamed to Worm:Win32/Vobfus.C
 

Worm:Win32/Vobfus.C


Worm:Win32/Vobfus.C is a worm that spreads to removable and remote drives, changes Windows settings and may download other malware.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL machines connected to the network that can access or host shares  (see above for further detail).
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Threat behavior

Worm:Win32/Vobfus.C is a worm that spreads to removable and remote drives, changes Windows settings and may download other malware.
Installation
When run, the worm drops a copy of itself into the logged on user's profile directory as a random six character string as in this example:
 
%USERPROFILE%\viuoqu.exe
 
The registry is modified to run the dropped copy at each Windows start, as in this example:
 
Adds value: "viuoqu"
With data: "%USERPROFILE%\viuoqu.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads Via…
Removable drives
Worm:Win32/Vobfus.C enumerates removable drives and drops copies of the worm executable (for example, "viuoqu.exe" and "viuoqu.scr") under the root folder of each removable drive:
 
<drive:>\viuoqu.exe
<drive:>\viuoqu.scr
 
The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy with ".exe" file extension. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically.
 
Remote drives
Worm:Win32/Vobfus.C drops copies of the worm executable (for example, "viuoqu.exe" and "viuoqu.scr") under the root folder of each writeable remote drive:
 
<drive:>\viuoqu.exe
<drive:>\viuoqu.scr
 
The worm also creates shortcuts under the root directory on remote drives that have the same name as existing folders in the root directory, f or example:
 
<Remote drive:>\new folder.lnk
<Remote drive:>\passwords.lnk
<Remote drive:>\documents.lnk
<Remote drive:>\pictures.lnk
<Remote drive:>\music.lnk
<Remote drive:>\video.lnk
 
The shortcut links to the dropped worm executable with ".scr" file extension. Once the users opens the link, the worm copy will execute.
Payload
Modifies Windows settings
The worm will disable viewing of Windows system files with attributes "hidden" by modifying the following registry data:
 
Modifies value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\Currentersion\Explorer\Advanced
 
Downloads other malware
The worm also attempts connecting to a remote host "ns<one random number>.theimageparlour.net" using TCP port 8000 to download further malicious binaries.
 
Analysis by Lena Lin

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of randomly named file on local, removable and remote drives, as in these examples:
    %USERPROFILE%\viuoqu.exe
    <drive:>\viuoqu.exe
    <drive:>\viuoqu.scr
    <drive:>\autorun.inf
    <Remote drive:>\viuoqu.exe
    <Remote drive:>\viuoqu.scr
    <Remote drive:>\new folder.lnk
    <Remote drive:>\passwords.lnk
    <Remote drive:>\documents.lnk
    <Remote drive:>\pictures.lnk
    <Remote drive:>\music.lnk
    <Remote drive:>\video.lnk

Prevention


Alert level: Severe
First detected by definition: 1.65.778.0
Latest detected by definition: 1.177.1433.0 and higher
First detected on: Sep 15, 2009
This entry was first published on: Nov 05, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/Vobfus.A (Command)
  • Trojan.VB.Chinky.C (BitDefender)
  • Trojan.Agent-122844 (Clam AV)
  • Win32/AutoRun.VB.GA (ESET)
  • Worm.Win32.VBNA.idv (Kaspersky)
  • W32/VBNA.worm (McAfee)
  • VBWorm.XPH (Norman)
  • W32/Vobfus.gen.worm (Panda)
  • W32/SillyFDC-DV (Sophos)