WORM_VOBFUS
Vobfus, Changeup, VBObfus
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
VOBFUS malware are known to propagate by dropping copies of themselves onto removable drives connected to infected systems. They take advantage of the Windows AutoRun feature in order to spread via removable drives. They may be dropped or downloaded by other malware onto users’ systems or may be unknowingly downloaded when visiting malicious sites.
When executed, VOBFUS connects to malicious servers to download files. They also download other malware such as VIRUX and FAKEAV. VOBFUS variants connect to malicious URLs to wait for commands from malicious users, thus compromising the security of the system.
Some VOBFUS variants use the Windows Shortcut File Vulnerability, a vulnerability which allows arbitrary code to be executed on the user’s system. Variants exploit this vulnerability to propagate.
They hook certain application programming interfaces (APIs) to prevent applications like Task Manager and Process Explorer from terminating their malicious routines. Lastly, VOBFUS variants have polymorphic capabilities, enabling them to add garbage code at every execution and to modify the said code to generate new variants.
TECHNICAL DETAILS
Installation
This worm drops the following copies of itself into the affected system:
- %User Profile%\{random filename}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename} = "%User Profile%\{random file name}.exe"
Other System Modifications
This worm modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"
(Note: The default value data of the said registry entry is 1.)
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}me.com
- {BLOCKED}verarts.com
- {BLOCKED}te.com
- {BLOCKED}entalarts.com
- {BLOCKED}y.com
- {BLOCKED}i.com
- {BLOCKED}t.com
- {BLOCKED}ental.com
- {BLOCKED}ttraffic.com
- {BLOCKED}traffic.com
- {BLOCKED}orarts.com
- {BLOCKED}p.com
- ns1.{BLOCKED}geparlour.net
- ns1.{BLOCKED}turehut.net
- ns2.{BLOCKED}turehut.net
- ns3.{BLOCKED}geparlour.net
- ns3.{BLOCKED}turehut.net
- ns4.{BLOCKED}turehut.net
- {BLOCKED}rtsite.com
- {BLOCKED}earts.com
- {BLOCKED}arts.com
- {BLOCKED}arts.com