Worm:Win32/Vobfus.AAW is a member of
Win32/Vobfus - a family of worms that spreads via network drives and removable drives. It may also download and execute arbitrary files.
Installation
Worm:Win32/Vobfus.AAW copies itself to the following locations:
- c:\documents and settings\administrator\gexaeiq\1.exe
- c:\documents and settings\administrator\gexaeiq\2.exe
- c:\documents and settings\administrator\gexaeiq\3.exe
- c:\documents and settings\administrator\gexaeiq\4.exe
- c:\documents and settings\administrator\gexaeiq\qieaxeg.exe
The malware creates the following files on your PC:
-
c:\documents and settings\administrator\gexaeiq\rcx10.tmp
-
c:\documents and settings\administrator\gexaeiq\rcx11.tmp
-
c:\documents and settings\administrator\gexaeiq\rcx12.tmp
-
c:\documents and settings\administrator\gexaeiq\rcx13.tmp
-
c:\documents and settings\administrator\gexaeiq\rcx14.tmp
-
c:\documents and settings\administrator\gexaeiq\rcx15.tmp
-
c:\documents and settings\administrator\gexaeiq\rcx16.tmp
-
c:\documents and settings\administrator\gexaeiq\rcx17.tmp
-
c:\documents and settings\administrator\gexaeiq\rcx18.tmp
-
c:\documents and settings\administrator\gexaeiq\rcx19.tmp
-
c:\documents and settings\administrator\gexaeiq\rcxe.tmp
-
c:\documents and settings\administrator\gexaeiq\rcxf.tmp
-
c:\documents and settings\administrator\start menu\programs\startup\qieaxeg.lnk
Spreads via…
Removable drives
Worm:Win32/Vobfus.AAW can create the following files on targeted drives when spreading:
- <targeted drive>:\favourites.lnk
- <targeted drive>:\love you.exe
- <targeted drive>:\money.exe
- <targeted drive>:\movies.lnk
- <targeted drive>:\music.lnk
- <targeted drive>:\nude.exe
- <targeted drive>:\passwords.lnk
- <targeted drive>:\pictures.lnk
- <targeted drive>:\private.lnk
- <targeted drive>:\qieaxeg.exe
- <targeted drive>:\search.lnk
- <targeted drive>:\secret folder.lnk
- <targeted drive>:\sex.exe
- <targeted drive>:\sexy.exe
- <targeted drive>:\subst.exe
It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.
Payload
Changes system security settings
Worm:Win32/Vobfus.AAW disables the Least Privileged User Account (LUA), also known as the ?administrator in Admin Approval Mode? user type. It does this by making the following registry modifications:
Sets value:
"EnableLUA"With data:
"0" In subkey:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Note: Disabling the LUA allows all applications to run by default with all administrative privileges. You won't be asked for explicit consent.
Contacts remote host
The malware might contact a remote host at ns1.dnsfor.net using port 7005. Commonly, malware does this to:
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 f6f28d39384fcd1d2a92925aa1c2b1808e97e24e.
