Threat behavior
Win32/Vobfus.gen!A is a generic detection certain variants of Win32/Vobfus, a worm that spreads via removable drives and downloads and executes arbitrary files. Downloaded files may include additional malware.
Installation
When executed, the worm copies itself to "%HOMEPATH%\<user name>.exe" and sets a corresponding registry entry to execute this copy at each windows start:
Adds value: "<user name>"
With data: "%HOMEPATH%\<user name>.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via…
Removable drives
The worm looks for removable drives and then copies itself to the root directory of each located drive as "<user name>.exe". Win32/Vobfus.gen!A then writes an autorun configuration file named "autorun.inf" pointing to the copy of the worm. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the worm is launched automatically.
The worm may also drop the following files on the removable drive:
z<two random characters>.dll
Payload
Downloads and executes arbitrary files
The worm connects to a remote host to download and execute files, as well as to update itself. In the wild, we have observed Vobfus contacting all-internal.info for this purpose.
At the time of writing Win32/Vobfus.gen!A had been observed downloading variants of the following malware families:
Analysis by Ray Roberts
Prevention
