A wave of WORM_VOBFUS variants has recently emerged with some variants even spreading through Facebook. But based on initial analysis, this crop of WORM_VOBFUS presents no new routines. For good measure, users are encouraged to observe best practices such as disabling Autorun feature and updating their antivirus program with the latest pattern, just to name a few.
What You Need to Know About WORM_VOBFUS
WORM_VOBFUS takes advantage of Windows Autorun feature to drop copies onto removable and mapped network drives. They also arrive as downloaded or dropped files of other malware family. Users may unknowingly download WORM_VOBFUS variants when visiting malicious sites.
These variants were also reported to be spreading on Facebook, usually using (but not limited to) sexually-suggestive file names to pique users’ interest.
The VOBFUS malware drops copies of itself in removable drives using the file names of the user’s folders and files with the following extensions:
- .avi
- .bmp
- .doc
- .gif
- .jpe
- .jpg
- .mp3
- .mp4
- .mpg
- .png
- .tif
- .txt
- .wav
- .wma
- .wmv
- .xls
This worm hides these files mentioned above as original files and folders. Thus, users may think that they are clicking normal files or folders, while in fact these are WORM_VOBFUS variants in disguise. Like your typical worm, it drops an AUTORUN.INF to automatically execute the file when the drive is accessed.
To know if system is infected, users must check for the following files:
- {drive letter}:\Passwords.exe
- {drive letter}:\Porn.exe
- {drive letter}:\Secret.exe
- {drive letter}:\Sexy.exe
This worm connects to a remote site where it downloads and executes other malware. Specifically, it connects to the following sites:
- http://{random number}.ddns1.eu/{random characters}?{random character}
- http://{random number}.ddns1.eu/{random characters}/?{random character}
Once the file is downloaded it is saved as %User Profile%\google.com (detected as TSPY_BANCOS.JFB). However, some sites where this malware connects to are already inaccessible.
These WORM_VOBFUS variants were also observed to connect to a command-and-control (C&C) server, possibly to communicate with a remote malicious user. Below are some of the C&Cs that it connects to:
Based on our analysis, this roster of WORM_VOBFUS variants currently have no new routines compared to previous ones.
Using feedback from Smart Protection Network, here are the most affected countries as of Nov. 27:
| Country | Number of Infections |
| USA | 243 |
| India | 43 |
| Brazil | 27 |
| Saudi Arabia | 23 |
| Thailand | 23 |
Trend Micro users are encouraged to update their software with the latest pattern. Trend Micro Smart Protection Network also blocks the related URLs, while Trend Micro Deep Discovery detects WORM_VOBFUS network traffic. Users are also encouraged to disable Windows Autorun feature. For more information about WORM_VOBFUS, you can consult its Web Attack entry here.
We are currently further looking into this threat. We will update this blog entry for any developments.
Update as of November 28, 2012 2:27 PM PST
WORM_VOBFUS variants also connect to the following remote sites to download and execute TSPY_BANCOS variants:
- http://{random number}.dtdns.net:{port}/{random characters}?{random character}
- http://{random number}.ddnsd.eu:{port}/{random characters}?{random character}
- http://{random number}.ddns01.eu:{port}/{random characters}?{random character}
The said domains used ports 80, 8080, 443, and 9004 possibly to evade detection and easy removal from the infected systems. Moreover, since VOBFUS has polymorphic capabilities, it can easily add and modify garbage code to generate new variants.
Trend Micro blocks all related URLs as well as detects the VOBFUS variants as:
- WORM_VOBFUS.SMM1
- WORM_VOBFUS.SM04
- WORM_VOBFUS.SMIS
- WORM_VOBFUS.SMAY
- WORM_VOBFUS.SMCP
- WORM_VOBFUS.SMM1
- WORM_VOBFUS.SMCX
- WORM_VOBFUS.SMDS
- WORM_VOBFUS.SMCD
- WORM_VOBFUS.SMRR
- WORM_VOBFUS.SMRW
- WORM_VOBFUS.SMJO
- WORM_VOBFUS.SMA4
- WORM_VOBFUS.SMA3
- WORM_VOBFUS.SMCF
- WORM_VOBFUS.SMM2
- WORM_VOBFUS.SMIS
Despite being an old threat, VOBFUS still manages to infect systems. As such, users are strongly advised to keep their systems and security software up-to-date.
Leave a reply
