Worm:Win32/Vobfus.A is a worm that installs Worm:Win32/Vobfus.E
, changes Windows settings and may download other malware.
When run, Win32/Vobfus.A drops a copy of Worm:Win32/Vobfus.E as the following:
%USERPROFILE%\%USERNAME%.exe (e.g. C:\Documents and Settings\Administrator\Administrator.exe)
The registry is modified to run the dropped worm copy at each Windows start.
Adds value: "%USERNAME%" (e.g. "Administrator")
With data: "%USERPROFILE%\%USERNAME%.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
runs, it enumerates removable drives and drops a copy as the following:
<drive:>\%USERNAME%.exe (e.g. F:\Administrator.exe)
The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically.
Changes Windows settings
Worm:Win32/Vobfus.A modifies the registry to disable showing files having "system" and "hidden" file attributes.
Modifies value: "ShowSuperHidden"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Connects to remote website
Worm:Win32/Vobfus.A connects to the website "ns1.theimageparlour.net" using TCP port 8000 possibly to download other malware or allow communication with a remote attacker.
Analysis by Hong Jia