WORM_VOBFUS.DCQ

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself into network drives. It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system. As of this writing, the said sites are inaccessible.

It terminates itself if it detects it is being run in a virtual environment.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %User Profile%\{random file name}.exe
• %User Profile%\Passwords.exe
• %User Profile%\Porn.exe
• %User Profile%\Secret.exe
• %User Profile%\Sexy.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following files:

• {drive letter}:\x.mpeg

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name} = "%User Profile%\{random file name}.exe /{random character}"

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops the following copy of itself in all physical and removable drives:

• {drive letter}:\{random file name}.exe
• {drive letter}:\Passwords.exe
• {drive letter}:\Porn.exe
• {drive letter}:\Secret.exe
• {drive letter}:\Sexy.exe

It drops copies of itself into network drives.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open={random file name}.exe
icon={random file name}.exe,0

or

{garbage characters}
[autorun]
{garbage characters}
open={random}.eXE
{garbage characters}
ACTION={random number}
UseautopLAY=1
{garbage characters}

Download Routine

This worm accesses the following websites to download files:

• {BLOCKED}1.{BLOCKED}e{random number}.{domain}

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

As of this writing, the said sites are inaccessible.

Other Details

This worm terminates itself if it detects it is being run in a virtual environment.

It terminates itself if any of the following file(s) are present:

• sbiedll.dll (Sandboxie component)
• snxhk.dll (AVAST component)

NOTES:

Where {domain} can be any of the following:

• .com
• .net
• .org
• .biz
• .info

It queries the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum registry key for the following registry data strings to check if it is running in a virtual environment.

• VIRTUAL
• VMWARE
• VBOX
• QEMU

It uses the file names of of files with the following extensions:

• mp3
• avi
• wma
• wmv
• wav
• mpg
• mp4
• doc
• txt
• pdf
• xls
• jpg
• jpe
• bmp
• gif
• tif
• png

It then sets the attribute of the original folders in the removable drives to Hidden and System to trick users into thinking that the dropped copies are the legitimate folders.

The copies dropped in mapped network drives uses the same file names as the ones used in the removable drives.