Win32/Vobfus.H is a worm that spreads via removable drives and downloads and executes arbitrary files. Downloaded files may include additional malware.
When executed, the worm copies itself to %HOMEPATH%\<user name>.exe and sets a corresponding registry entry to execute this copy at each windows start:
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value:"<user name>"
With data: "%HOMEPATH%\<user name>.exe"
The worm looks for removable drives and then copies itself to the root directory of each located drive as <user name>.exe. Win32/Vobfus.H then writes an autorun configuration file named 'autorun.inf' pointing to <user name>.exe. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
The worm may also drop the following files on the removable drive:
z<two random characters>.dll
Downloads and executes arbitrary files
The worm connects to a remote host to download and execute files, as well as to update itself. In the wild, we have observed Vobfus contacting all-internal.info for this purpose.
At the time of writing Win32/Vobfus.H had been observed downloading variants of the following malware families:
Analysis by Ray Roberts
There are no obvious symptoms that indicate the presence of this malware on an affected machine.