WORM_VOBFUS.SM38

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %User Profile%\{random}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%User Profile%\{random}.exe /{random character}"

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {random}.exe
• passwords.exe
• porn.exe
• secret.exe
• sexy.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage characters}
[autorun]
iCON={random}.exe,0
{garbage characters}
open={random}.exe
{garbage characters}
aCTioN={number}
{garbage characters}
usEautOPLay=1
{garbage characters}

Download Routine

This worm connects to the following malicious URLs:

• {BLOCKED}1.{BLOCKED}nes.biz
• {BLOCKED}1.{BLOCKED}nes.com
• {BLOCKED}1.{BLOCKED}nes.info
• {BLOCKED}1.{BLOCKED}nes.net
• {BLOCKED}1.{BLOCKED}nes.org
• {BLOCKED}1.{BLOCKED}ch.org

NOTES:

It searches for folders and files with the following extensions in removable drives:

• .avi
• .bmp
• .doc
• .gif
• .jpe
• .jpg
• .mp3
• .mp4
• .mpg
• .pdf
• .png
• .tif
• .txt
• .wav
• .wma
• .wmv
• .xls

It then drops copies of itself as {folder name}.exe and {filename}.exe. It then sets the attribute of the original file or folder to Hidden and System to trick users into thinking that the dropped copy is the legitimate file or folder.

It also adds the following non-malicious file in removable drives:

• x.mpeg