Worm.Win32.Vobfus

General Explanation

Type: Worm

Degree of destruction: high

Prevalence: high

Names of the malware:

  • Worm.Win32.Vobfus
  • Trojan.Win32.Vobfus
  • Worm.Vobfus

What is the Worm?

Computer worms such as Vobfus is a type of malware that is capable of reproducing. For permanence, worms set ways to maintain the infection with every system boot. The prominent feature of worms is their distribution method that is generally performed by portable dives and shared directories in the network.

What is Vobfus malware?

The Vobfus malware is a worm type and this malware will pursue its goals in two sections; in the first section which runs by the malware itself, the malware checks its permanence and also infect the portable drive by copying itself in it, as soon as it connects to the system. The second section will be executed by the copy of the malware created by itself. In this section, the malware proceeds to download and execute other malware without the user’s notice. Also, this malware uses the anti-VM technique (detecting the virtual machine) that in the case of using VM its malicious procedure will not execute. The main goal of this malware is to download other malware to connect to a server and download the desired malware if the victim does not use any VM.

Technical Explanation

Signs of infection 

  1. Creating the registry key %USERPROFILE%\"RandomName".exe in the path HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"RandomName".exe
  2. Creating the registry key UACDisableNotify with the zero value in the path of HKLM\SOFTWARE\Microsoft\Security Center
  3. In some newer types, changing the registry key value to 00 in the path of HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden  and changing the registry key value to 00 in the path of  HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
  4. Removing all exe files inside the portable drive and creating a detour with their names which all point to the malware execution file.
  5. Hiding a copy of its file in the portable drive and shared drives and directories.
  6. Infecting portable drives by copying itself with multiple names and creating a file with the 0 contents and volume named x.mpeg
      • %USERPROFILE%\Application Data\{random}.exe
      • Removable Drive:\Secret.exe
      • Removable Drive:\Sexy.exe
      • Removable Drive:\Passwords.exe
      • Removable Drive:\Password.exe
      • Removable Drive:\Webcam.exe
      • Removable Drive:\I Love You.exe
      • Removable Drive:\Naked.exe
      • Removable Drive:\Porn.exe
      • Removable Drive:\x.mpeg

How to deal with it and disinfect the system

By UMP capability that is a part of behavioral protection, Padvish can prevent the system from infection through a portable drive. Therefore, to prevent infection to all types of malware that transfer through portable drive such as Vobfus malware, it is recommended to install Padvish and prevent malware from entering and infecting the system.

If your system is infected by Vobfus malware, act as follows:

  1. Install Padvish on your system
  2. Connect the infected portable drive to the system
  3. Scan the portable drive with the Padvish to disinfect both system and portable drives.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>