Analysis by: Jaime Benigno Reyes
ALIASES:

Worm:Win32/Vobfus.OP (Microsoft), Worm.Win32.Vobfus.cqks (Kaspersky), W32/Autorun.worm.aaeh!heur (McAfee)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives by connecting affected removable drives to a system.

  TECHNICAL DETAILS

File Size: 241,664 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 14 Mar 2013

Arrival Details

This worm arrives by connecting affected removable drives to a system.

Installation

This worm drops the following file(s)/component(s):

  • {removable drive letter}:\x.mpeg

It drops the following copies of itself into the affected system:

  • %User Profile%\{random}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = "%User Profile%\{random}.exe /{random letter}"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {removable drive letter}:\{random file name}.exe
  • {removable drive letter}:\Passwords.exe
  • {removable drive letter}:\Porn.exe
  • {removable drive letter}:\Secret.exe
  • {removable drive letter}:\Sexy.exe
  • {removable drive letter}:\{folder name}.exe

The said .INF file contains the following strings:

{garbage characters}
[autorun]
{garbage characters}
open={random}.eXE
{garbage characters}
ACTION={random number}
{garbage characters}
UsEaUTopLay=1
{garbage characters}

Download Routine

This worm connects to the following website(s) to download and execute a malicious file:

  • http://{BLOCKED}t.ru/f/mixc.exe

Other Details

This worm connects to the following possibly malicious URL:

  • http://{5 digit number}.{BLOCKED}2.net:81
  • http://{BLOCKED}I.{BLOCKED}2.net:81
  • http://{BLOCKED}m.{BLOCKED}2.net:81
  • http://{BLOCKED}f.su
  • http://{BLOCKED}w.ru

NOTES:

This worm searches for folders in all removable drives then drops copies of itself as {folder name}.exe.

It also uses the file names of files with the following extensions:

  • .avi
  • .bmp
  • .doc
  • .gif
  • .jpe
  • .jpg
  • .mp3
  • .mp4
  • .mpg
  • .pdf
  • .png
  • .tif
  • .txt
  • .wav
  • .wma
  • .wmv
  • .xls

It then sets the attribute of the original file or folder to Hidden and System to trick users into thinking that the dropped copy is the legitimate file or folder.