Follow:

 

Worm:Win32/Vobfus.H


Win32/Vobfus.H is a worm that spreads via removable drives and downloads and executes arbitrary files. Downloaded files may include additional malware.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Win32/Vobfus.H is a worm that spreads via removable drives and downloads and executes arbitrary files. Downloaded files may include additional malware.
Installation
When executed, the worm copies itself to %HOMEPATH%\<user name>.exe and sets a corresponding registry entry to execute this copy at each windows start:
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value:"<user name>"
With data: "%HOMEPATH%\<user name>.exe"
Spreads via…
Removable drives
The worm looks for removable drives and then copies itself to the root directory of each located drive as <user name>.exe. Win32/Vobfus.H then writes an autorun configuration file named 'autorun.inf' pointing to <user name>.exe. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
 
The worm may also drop the following files on the removable drive:
 
z<two random characters>.lnk - detected as Exploit:Win32/CplLnk.B
z<two random characters>.dll
Payload
Downloads and executes arbitrary files
The worm connects to a remote host to download and execute files, as well as to update itself. In the wild, we have observed Vobfus contacting all-internal.info for this purpose.

At the time of writing Win32/Vobfus.H had been observed downloading variants of the following malware families:
 
Analysis by Ray Roberts

Symptoms

There are no obvious symptoms that indicate the presence of this malware on an affected machine.

Prevention


Alert level: Severe
First detected by definition: 1.63.830.0
Latest detected by definition: 1.87.911.0 and higher
First detected on: Aug 03, 2009
This entry was first published on: Sep 08, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan-Downloader.Win32.VB.pod (Kaspersky)
  • Win32/TrojanDownloader.VB.NZX (ESET)