WORM_VOBFUS


 ALIASES:

Vobfus, Changeup, VBObfus

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Via physical/removable drives, Propagates via removable drives, Dropped by other malware, Downloaded from the Internet

VOBFUS malware are known to propagate by dropping copies of themselves onto removable drives connected to infected systems. They take advantage of the Windows AutoRun feature in order to spread via removable drives. They may be dropped or downloaded by other malware onto users’ systems or may be unknowingly downloaded when visiting malicious sites.

When executed, VOBFUS connects to malicious servers to download files. They also download other malware such as VIRUX and FAKEAV. VOBFUS variants connect to malicious URLs to wait for commands from malicious users, thus compromising the security of the system.

Some VOBFUS variants use the Windows Shortcut File Vulnerability, a vulnerability which allows arbitrary code to be executed on the user’s system. Variants exploit this vulnerability to propagate.

They hook certain application programming interfaces (APIs) to prevent applications like Task Manager and Process Explorer from terminating their malicious routines. Lastly, VOBFUS variants have polymorphic capabilities, enabling them to add garbage code at every execution and to modify the said code to generate new variants.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Downloads files

Installation

This worm drops the following copies of itself into the affected system:

  • %User Profile%\{random filename}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random filename} = "%User Profile%\{random file name}.exe"

Other System Modifications

This worm modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}me.com
  • {BLOCKED}verarts.com
  • {BLOCKED}te.com
  • {BLOCKED}entalarts.com
  • {BLOCKED}y.com
  • {BLOCKED}i.com
  • {BLOCKED}t.com
  • {BLOCKED}ental.com
  • {BLOCKED}ttraffic.com
  • {BLOCKED}traffic.com
  • {BLOCKED}orarts.com
  • {BLOCKED}p.com
  • ns1.{BLOCKED}geparlour.net
  • ns1.{BLOCKED}turehut.net
  • ns2.{BLOCKED}turehut.net
  • ns3.{BLOCKED}geparlour.net
  • ns3.{BLOCKED}turehut.net
  • ns4.{BLOCKED}turehut.net
  • {BLOCKED}rtsite.com
  • {BLOCKED}earts.com
  • {BLOCKED}arts.com
  • {BLOCKED}arts.com