Vobfus is often downloaded by other malware, and also downloads other malware itself, including:
Installation
In the wild, we have observed variants of Vobfus being downloaded by variants of Win32/Beebone.
This threat creates a mutex named "A" to mark its infection, and to make sure that only a single copy of its process is running on your PC at any one time.
It then drops a copy of itself in the "C:\Documents and Settings\<user>" folder using a random file name, for example:
C:\documents and settings\Administrator\zkyip.exe.exe
It creates the following registry entry so it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random>"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zkyip"
With data: "C\documents and settings\administrator\zkyip.exe /f"
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\<user>\<random>.exe [/random parameter]"
For example:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "C\documents and settings\administrator\zkyip.exe /t"
Spreads via...
Network and removable drives
The worm copies itself to the root directory of network and removable drives using "rcx<hexadecimal number>.tmp", then renames this TMP file to any of the following:
- passwords.exe
- porn.exe
- secret.exe
- sexy.exe
- subst.exe
- system.exe
The worm writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. If you access this drive from a PC supporting the Autorun feature, the worm is launched automatically.
Payload
Changes PC settings
Worm:Win32/Vobfus changes the following registry entries to prevent you from changing how hidden files and folders are displayed in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Downloads and runs other malware
Worm:Win32/Vobfus tries to connect to a remote host to receive encrypted commands that, when decrypted, specify the following:
<URL to download><Save as file name>
The remote host's address is hardcoded in the variant's binary, and varies as the malware author releases new binaries. The address may be a full domain (for example, ns1.player1532) or assembled as <domain string><number>.<domain extension>, for example:
- ns1.timedate1.org
- ns1.timedate3.com
Common domain strings used by Worm:Win32/Vobfus include:
- codeconline.net
- imagehut2.cn
- msdip.com
- ns1.backdate1.com
- ns1.backupdate1.com
- ns1.cpuchecks
- ns1.datetoday1.org
- ns1.helpcheck1
- ns1.helpchecks
- ns1.helpchecks.net
- ns1.helpupdated
- ns1.helpupdated.com
- ns1.helpupdated.org
- ns1.helpupdatek.at
- ns1.helpupdater
- ns1.helpupdater.net
- ns1.mysearchhere.net
- ns1.searchhereonline.net
- ns1.theimageparlour.net
- ns1.thepicturehut.net
- ns1.timedate3.com
- ns2.helpchecks.net
- ns2.helpupdated.com
- ns2.helpupdated.org
- ns2.helpupdatek.at
- ns2.helpupdater.net
- ns2.mysearchhere.net
- ns2.searchhereonline.net
- ns2.theimageparlour.net
- ns2.thepicturehut.net
- ns3.helpchecks.net
- ns3.helpupdated.com
- ns3.helpupdated.org
- ns3.helpupdatek.at
- ns3.helpupdater.net
- ns3.mysearchhere.net
- ns3.searchhereonline.net
- ns3.theimageparlour.net
- ns3.thepicturehut.net
- ns4.helpchecks.net
- ns4.helpupdated.com
- ns4.helpupdated.org
- ns4.helpupdatek.at
- ns4.helpupdater.net
- ns4.mysearchhere.net
- ns4.searchhereonline.net
- ns4.theimageparlour.net
- ns4.thepicturehut.net
- peazoom.com
- thethoughtzone.net
- usezoom.com
- vrera.com
- zoomslovenia.com
The worm uses the following domain extensions (note that it will attempt to use each domain extension as ordered below, moving to the next one on the list if it cannot connect):
- .com
- .net
- .org
- .biz
- .info
- .by
The worm contacts these remote hosts using any of the following TCP ports:
- 2002
- 7001
- 7002
- 7003
- 7004
- 7005
- 8000
- 8003
- 9002
- 9003
- 9004
We have observed these hosts resolving to the following IP addresses:
- 188.65.<removed>.13
- 192.162.<removed>.73
- 46.28.<removed>.32
- 60.172.<removed>.143
- 60.172.<removed>.144
- 60.173.<removed>.9
- 78.46.<removed>.198
- 78.47.<removed>.165
- 94.250.<removed>.83
The worm downloads files from the remote host into the %USERPROFILE% folder, using a random file name that it acquired from the decrypted commands, for example neode.exe.
Older variants have been observed dropping and/or downloading malware belonging to the following families:
Newer variants, however, have been observed downloading variants from the TrojanDownloader:Win32/Beebone family.
Analysis by Edgardo Diaz Jr & Patrick Estavillo
