Worm:Win32/Vobfus.gen!B is a generic detection for obfuscated Visual Basic (VB) compiled malware that spreads via removable drives and downloads additional malware from remote servers.
Installation
Worm:Win32/Vobfus.gen!B drops a copy of itself into the logged on user's profile directory as a random six character string, for example, "xealip.exe". Worm:Win32/Vobfus.gen!B modifies the registry to run the dropped copy at each Windows start as in the following example:
Adds value: "xealip"
With data: "%USERPROFILE%\xealip.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via…
Removable drives
Worm:Win32/Vobfus.gen!B enumerates removable drives and drops copies of the worm executable (for example, "xealip.exe" and "viuoqu.scr") under the root folder of each removable drive:
<drive:>\xealip.exe
<drive:>\viuoqu.scr
The worm then writes an autorun configuration file named "autorun.inf" pointing to the worm copy with ".exe" file extension. When the drive is accessed from a machine supporting the Autorun feature, the virus is launched automatically.
Worm:Win32/Vobfus.gen!B may also drop the following files on the removable drive:
z<two random characters>.lnk
z<two random characters>.dll
Remote drives
Worm:Win32/Vobfus.gen!B drops copies of the worm executable (for example, "xealip.exe" and "xealipx.exe") under the root folder of each writeable remote drive:
<drive:>\xealip.exe
<drive:>\xealipx.exe
The worm also creates shortcuts under the root directory on remote drives that have the same name as existing folders in the root directory, for example:
new folder.lnk
passwords.lnk
documents.lnk
pictures.lnk
music.lnk
video.lnk
subst.lnk
..lnk
...lnk
The shortcut links to the dropped worm executable with ".exe" file extension. Once the users opens the link, the worm copy will execute.
Payload
Modifies computer settings
Worm:Win32/Vobfus.gen!B modifies the following registry entries to prevent the user from changing how hidden files and folders are displayed in Windows Explorer:
Adds value: "ShowSuperHidden"
with data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Terminates processes and threads
Worm:Win32/Vobfus.gen!B prevents security software from terminating its processes by patching two Windows system APIs (TerminateProcess and TerminateThread).
Downloads and executes arbitrary files
Worm:Win32/Vobfus.gen!B tries to download additional files from a remote server under %UserProfile%; we have observed the worm contacting the following domain using TCP 8000:
Analysis by Vincent Tiu
