Worm:Win32/Vobfus.F is a worm that spreads to removable and remote drives, changes Windows settings, and may download other malware.
When run, the worm drops a copy of itself into the logged-on user's profile directory as a random character string as in this example:
The registry is modified to run the dropped copy at each Windows start, as in this example:
Adds value: "gilen"
With data: "%USERPROFILE%\gilen.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Worm:Win32/Vobfus.F enumerates removable drives and drops copies of the worm executable (for example, "gilen.exe" and "gilen.scr") under the root folder of each removable drive:
The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy with ".exe" file extension. When the drive is accessed from a machine supporting the Autorun feature, the worm is launched automatically.
Worm:Win32/Vobfus.F drops copies of the worm executable (for example, "gilen.exe" and "gilen.scr") under the root folder of each writeable remote drive:
The worm also creates shortcuts under the root directory on remote drives that have the same name as existing folders in the root directory, f
<Remote drive:>\new folder.lnk
The shortcut links to the dropped worm executable with ".scr" file extension. Once the users opens the link, the worm copy executes.
Modifies Windows settings
The worm disables viewing of Windows system files with attributes "hidden" by modifying the following registry data:
Modifies value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\Currentersion\Explorer\Advanced
Downloads other malware
The worm also attempts connecting to a remote host "ns<one random number>.theimageparlour.net" using TCP port 8000 to download other malicious binaries.
Analysis by Aaron Putnam