arrow_back
search
close

WORM_VOBFUS.FUU

June 21, 2013
 ALIASES:

Worm:Win32/Vobfus.RA (Microsoft), VBObfus.g (McAfee)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself into network drives. It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

82,432 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

21 Jun 2013

Payload:

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %User Profile%\{random file name 1}.exe
  • %User Profile%\Passwords.exe
  • %User Profile%\Porn.exe
  • %User Profile%\Secret.exe
  • %User Profile%\Sexy.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following files:

  • {removable drive}:\x.mpeg
  • %User Profile%{random file name 2}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name} = "%User Profile%\{random file name}.exe /{random character}"

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops the following copy of itself in all physical and removable drives:

  • {drive letter}:\{random file name 1}.exe
  • {drive letter}:\Passwords.exe
  • {drive letter}:\Porn.exe
  • {drive letter}:\Secret.exe
  • {drive letter}:\Sexy.exe

It drops copies of itself into network drives.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open={random file name}.exe
action={random numbers}
useautoplay=1

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}e.com

NOTES:

It replaces files found in removable drives with the following extensions with a copy of itself:

  • mp3
  • avi
  • wma
  • wmv
  • wav
  • mpg
  • mp4
  • doc
  • txt
  • pdf
  • xls
  • jpg
  • jpe
  • bmp
  • gif
  • tif
  • png

It uses the original file name used for the replaced files.

It then sets the attribute of the original folders and files in the removable drives to Hidden and System to trick users into thinking that the dropped copies are the original folders and files.