Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
35.1.7039
| CA Antivirus 2007
| |
35.1.7039
| eTrust Antivirus v7/8*
| |
7.x/7039
| eTrust EZ Antivirus 7.x
| |
35.1.7039
| Vet 7
| |
Description
Win32/Vobfus is a family of worms that propagates via removable drives and downloads other files from the Internet.
Back to top
Method of Infection
When executed, this malware drops and executes it's copy as %Username% or {Random} filename in %Documents and Settings%\%Username%\ folder.
For example:
If Username is "Administrator", then the dropped file will be "C:\Documents and Settings%\Administrator\Administrator.exe", other variants of this malware drops {Random} filename.
It then creates the following Registry entry to be able to execute itslef every start-up.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%Username% = "%Documents and Settings%\%Username%\%Username%.exe"
or
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
{Random} = "%Documents and Settings%\%Username%\{Random}.exe"
Other variants of this malware may also drop its copy in the following path.
%RECYCLER%\{Random CLSID}\Dc{Number}.exe
For example:
C:\RECYCLER\S-1-5-21-1275210071-1303643608-682003330-1117\Dc1.exe
C:\RECYCLER\S-1-5-21-1275210071-1303643608-682003330-1117\Dc2.exe
C:\RECYCLER\S-1-5-21-1275210071-1303643608-682003330-1117\Dc3.exe
Back to top
Method of Distribution
Via Removable Drives
This malware has the capability to propagate via removable drives such as USB drives. To do this, it drops two copies of itself in the removable drive, one with .EXE file extension and the other with .SCR file extension.
It then drops the autorun.inf file to be able to execute the dropped .EXE file when Autorun is enabled.
It also drops the following Link (.lnk) or Shortcut files in the removable drive, these points to the dropped .SCR file, thus, executing the shortcut files will tend to execute the malware.
New Folder.lnk
Passwords.lnk
Documents.lnk
Pictures.lnk
Music.lnk
Video.lnk
Back to top
Payload
Downloads other files
This malware has the capability to download other possible malicious files from the following sites.
ns1.theimageparlour.net
ns2.theimageparlour.net
ns3.theimageparlour.net
ns4.theimageparlour.net
Modifies Registry entry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = dword:00000000
Kills Process
Other variants of this malware attempts to kill "taskmgr.exe" process once found running in the system.
Back to top
For additional information:
This malware is usually Visual Basic (VB) compiled executable.
Analysis by Ricardo Robielos III
Back to top