Worm:Win32/Vobfus.TO is a member of
Win32/Vobfus - a family of worms that spreads via network drives and removable drives. It may also download and execute arbitrary files.
Installation
Worm:Win32/Vobfus.TO copies itself to the following locations:
- c:\documents and settings\administrator\passwords.exe
- c:\documents and settings\administrator\porn.exe
- c:\documents and settings\administrator\secret.exe
- c:\documents and settings\administrator\sexy.exe
- c:\documents and settings\administrator\yeafuul.exe
- c:\documents and settings\administrator\c\passwords.exe
- c:\documents and settings\administrator\c\porn.exe
- c:\documents and settings\administrator\c\secret.exe
- c:\documents and settings\administrator\c\sexy.exe
The malware creates the following files on your computer:
-
c:\documents and settings\administrator\rcx10.tmp
-
c:\documents and settings\administrator\rcx11.tmp
-
c:\documents and settings\administrator\rcx12.tmp
-
c:\documents and settings\administrator\rcx13.tmp
-
c:\documents and settings\administrator\rcx14.tmp
-
c:\documents and settings\administrator\rcx15.tmp
-
c:\documents and settings\administrator\rcx16.tmp
-
c:\documents and settings\administrator\rcx17.tmp
-
c:\documents and settings\administrator\rcx18.tmp
-
c:\documents and settings\administrator\rcx19.tmp
-
c:\documents and settings\administrator\rcx1a.tmp
-
c:\documents and settings\administrator\rcx1b.tmp
-
c:\documents and settings\administrator\rcx1c.tmp
-
c:\documents and settings\administrator\rcx1d.tmp
-
c:\documents and settings\administrator\rcx1e.tmp
-
c:\documents and settings\administrator\rcx1f.tmp
-
c:\documents and settings\administrator\rcx20.tmp
-
c:\documents and settings\administrator\rcx21.tmp
-
c:\documents and settings\administrator\rcx22.tmp
-
c:\documents and settings\administrator\rcx23.tmp
Spreads via…
Removable and network drives
Worm:Win32/Vobfus.TO may create the following files on targeted drives when spreading:
- <targeted drive>:\passwords.exe
- <targeted drive>:\porn.exe
- <targeted drive>:\secret.exe
- <targeted drive>:\sexy.exe
- <targeted drive>:\subst.exe
- <targeted drive>:\yeafuul.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer.
It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Contacts remote host
Worm:Win32/Vobfus.TO may contact a remote host at ns1.backupdate1.com using port 7004. Commonly, malware does this to:
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instruction from a remote hacker
- Upload data taken from your PC
This malware description was produced and published using our automated analysis system's examination of file SHA1 6f74ca0f46d0c50d24c137ca580d91d5f59dd352.
