WORM_VOBFUS.BKZ
Worm.Win32.Vobfus.erns (Kaspersky), Worm:Win32/Vobfus (Microsoft)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %User Profile%\{varying filename}.exe
- %User Profile%\{random characters}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = "%User Profile%\{random characters}.exe"
Other System Modifications
This worm adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSupperHidden = "1"
(Note: The default value data of the said registry entry is "0".)
NOTES:
The file name it uses may contain any of the following strings:
- Passwords
- Porn
- runme
- Secret
- Sexy
This worm searches for folders in all removable drives then drops copies of itself as {folder name}.exe. It also uses the file names of files with the following extensions:
- .avi
- .bmp
- .doc
- .gif
- .jpe
- .jpg
- .mp3
- .mp4
- .mpg
- .png
- .tif
- .txt
- .wav
- .wma
- .wmv
- .xls
It then sets the attribute of the original file or folder to Hidden and System to trick users into thinking that the dropped copy is the legitimate file or folder. It also drops to mapped network drives the same copies of itself as dropped in removable drives.