Win32/Vobfus.gen!C is a generic detection for certain variants of Win32/Vobfus, a worm that spreads via network drives and removable drives.
Installation
When executed, the worm copies itself to "%HOMEPATH%\<random letters>.exe" and sets the following corresponding registry entry to execute this copy at each Windows start:
Adds value: "<random letters>"
With data: "%HOMEPATH%\<random letters>.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Note: %HOMEPATH% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Homepath folder for Windows 2000 and NT is \Documents and Settings\<user>; and for XP, Vista, and 7 is \Users\<user>.
Spreads via...
Network and removable drives
The worm copies itself to the root directory of the network and removable drives using the same random file name as its copy in %HOMEPATH%. The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Additional copies of the worm with the name "<random letters>.scr" may also be created.
In addition, another copy of the worm is created using "<random letters>x.exe", with the following shortcut files referencing it:
- ..lnk
- ...lnk
- Documents.lnk
- Music.lnk
- New Folder.lnk
- Passwords.lnk
- Pictures.lnk
- Video.lnk
The worm exploits the LNK vulnerability by creating the following files:
The dropped DLL will launch x.exe on vulnerable systems.
Payload
Modifies computer settings
Win32/Vobfus.P marks its executables as hidden files, and periodically overwrites the following registry value to ensure the hidden files are not displayed in Windows Explorer:
Adds value: "ShowSuperHidden"
with data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Terminates processes and threads
Win32/Vobfus.P protects its processes by modifying two Windows system APIs (TerminateProcess and TerminateThread). Any processes attempting to terminate the worm process will be crashed.
Downloads and executes arbitrary files
Win32/Vobfus.P tries to download additional files from a remote server via TCP port 8000. Some of the sites it has observed to be downloading files from are:
- theimageparlour.net
- thepicturehut.net
Analysis by Shali Hsieh
