Analysis by: Jaime Benigno Reyes
ALIASES:

Worm:Win32/Vobfus.PQ (Microsoft), Worm.Win32.Vobfus.dnna (Kaspersky), W32/Autorun.worm.aaeh!heur (McAfee), W32.Changeup (Symantec)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: 261,120 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 24 Apr 2013

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following file(s)/component(s):

  • {removable drive letter}:\x.mpeg

It drops the following copies of itself into the affected system:

  • %User Profile%\{random}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%User Profile%\{random}.exe /{random letter}"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {removable drive letter}:\{random file name}.exe
  • {removable drive letter}:\Passwords.exe
  • {removable drive letter}:\Porn.exe
  • {removable drive letter}:\Secret.exe
  • {removable drive letter}:\Sexy.exe
  • {removable drive letter}:\{folder name}.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage characters}
[autorun]
{garbage characters}
open={random}.Exe
{garbage characters}
ACtion={random number}
{garbage characters}
UsEaUTopLay=1
{garbage characters}

Download Routine

This worm accesses the following websites to download files:

  • http://{BLOCKED}y.ru/f/sc.exe
  • http://{BLOCKED}y.ru/f/pkc.exe

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}2.biz
  • http://BLOCKED}I.{BLOCKED}2.biz
  • http://{BLOCKED}1.{BLOCKED}2.biz
  • http://{BLOCKED}2.{BLOCKED}2.biz
  • http://{BLOCKED}r.su

NOTES:

This worm searches for folders in all removable drives then drops copies of itself as {folder name}.exe.

It also uses the file names of files with the following extensions:

  • .avi
  • .bmp
  • .doc
  • .gif
  • .jpe
  • .jpg
  • .mp3
  • .mp4
  • .mpg
  • .pdf
  • .png
  • .tif
  • .txt
  • .wav
  • .wma
  • .wmv
  • .xls

It then sets the attribute of the original file or folder to Hidden and System to trick users into thinking that the dropped copy is the legitimate file or folder.

It adds the following copies of itself into all zipped or compressed files:

  • Secret.exe