Encyclopedia entry
Updated:
Apr 17, 2011
| Published:
Oct 16, 2009
Aliases
W32/VBTrojan.6!Maximus
(Command)
-
Trojan.Agent.VB.BDS
(BitDefender)
-
Win32/AutoRun.VB.EW
(ESET)
-
Worm.Win32.Basun.wm
(Kaspersky)
-
MultiDropper-TD
(McAfee)
-
W32/SillyFDC-DS
(Sophos)
-
W32.Changeup
(Symantec)
-
Worm.VBNA.Gen
(VirusBuster)
Alert Level
(?)
Severe
Antimalware protection details
Microsoft recommends that you download the
latest definitions
to get protected.
Detection last updated:
Definition: 1.87.1904.0
Released: Aug 14, 2010
|
|
Detection initially created:
Definition: 1.65.778.0
Released: Sep 15, 2009
|
Summary
Worm:Win32/Vobfus.A is a worm that installs
Worm:Win32/Vobfus.E, changes Windows settings and may download other malware.
Symptoms
System changes
The following system changes may indicate the presence of this malware:
-
The presence of the following files:
%USERPROFILE%\%USERNAME%.exe (e.g. C:\Documents and Settings\Administrator\Administrator.exe)
<drive:>\%USERNAME%.exe (e.g. F:\Administrator.exe)
-
The presence of the following registry modifications:
Value: "%USERNAME%" (e.g. "Administrator")
With data: "%USERPROFILE%\%USERNAME%.exe"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Technical Information (Analysis)
Worm:Win32/Vobfus.A is a worm that installs
Worm:Win32/Vobfus.E, changes Windows settings and may download other malware.
Installation
When run, Win32/Vobfus.A drops a copy of Worm:Win32/Vobfus.E as the following:
%USERPROFILE%\%USERNAME%.exe (e.g. C:\Documents and Settings\Administrator\Administrator.exe)
The registry is modified to run the dropped worm copy at each Windows start.
Adds value: "%USERNAME%" (e.g. "Administrator")
With data: "%USERPROFILE%\%USERNAME%.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spreads Via…
Removable drives
When
Worm:Win32/Vobfus.E runs, it enumerates removable drives and drops a copy as the following:
<drive:>\%USERNAME%.exe (e.g. F:\Administrator.exe)
The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically.
Payload
Changes Windows settings
Worm:Win32/Vobfus.A modifies the registry to disable showing files having "system" and "hidden" file attributes.
Modifies value: "ShowSuperHidden"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Connects to remote website
Worm:Win32/Vobfus.A connects to the website "ns1.theimageparlour.net" using TCP port 8000 possibly to download other malware or allow communication with a remote attacker.
Analysis by Hong Jia
Prevention
Recovery
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
-
Ensure that an antivirus product is installed on ALL machines connected to the network that can access or host shares (see above for further detail).
-
Ensure that all available network shares are scanned with an up-to-date antivirus product.
-
-
Remove any unnecessary network shares or mapped drives.
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
