WORM_VOBFUS.PK

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %User Profile%\{random}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%User Profile%\{random}.exe /{random letter}"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• Passwords.exe
• Porn.exe
• {random}.exe
• Secret.exe
• Sexy.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage characters}
[autorun]
{garbage characters}
IcON={random.exe}
{garbage characters}
open={random}.exe
{garbage characters}
ActIon=22891
{garbage characters}
usEAutoPlAY=1
{garbage characters}

Backdoor Routine

This worm connects to the following URL(s) to send and receive commands from a remote malicious user:

• ns1.{BLOCKED}nes.com
• ns1.{BLOCKED}nes.net
• ns1.{BLOCKED}nes.org
• ns1.{BLOCKED}nes.biz
• ns1.{BLOCKED}nes.info
• {BLOCKED}q.com
• {BLOCKED}23checker.tk:443/33210?a

NOTES:

The dropped autorun.inf is detected as Mal_OtorunS.

It searches for folders in all removable drives then drops copies of itself as {folder name}.exe.

It also uses the filename of the files with the following extensions:

• .mp3
• .avi
• .wma
• .wmv
• .wav
• .mpg
• .mp4
• .doc
• .txt
• .pdf
• .xls
• .jpg
• .jpe
• .bmp
• .gif
• .tif
• .png

It then sets the attribute of the original file or folder to Hidden and System to trick users into thinking that the dropped copy is the legitimate file or folder.

It also adds the following non-malicious file in removable drives:

• x.mpeg