Vobfus Worm spreads via removable drives and remote shares (Nov 28, 2012)

Dell Sonicwall Threats research team have observed an increase in the activity of a Visual Basic based Worm that spreads through removable drives and network storage devices. It spreads by exploiting the Windows Autorun functionality on systems with autorun enabled. The malware also drops copies of other variants of itself on the target system.

Infection cycle:

Upon execution the Worm performs the following DNS queries:

It downloads and runs the following file [Detected as GAV: Vobfus.GKTI (Worm)]:

It adds the following files to the filesystem:

• %USERPROFILE%fltiaz.exe [Detected as GAV: Vobfus.MB (Worm)]
• %USERPROFILE%google.com [Detected as GAV: Vobfus.GKTI (Worm)]
• %USERPROFILE%zoineeh.exe [Detected as GAV: Vobfus.MB (Worm)]

It adds the following key to the windows registry to enable startup after reboot:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun fltiaz “%USERPROFILE%fltiaz.exe /y”

If an external drive or network share is attached to the system it adds the following files to it:

autorun.inf
..exe [Detected as GAV: Vobfus.MB (Worm)]
...exe [Detected as GAV: Vobfus.MB (Worm)]
doubuox.exe [Detected as GAV: Vobfus.MB (Worm)]
Ghost.exe [Detected as GAV: Vobfus.MB (Worm)]
new.exe [Detected as GAV: Vobfus.MB (Worm)]
Passwords.exe [Detected as GAV: Vobfus.MB (Worm)]
Porn.exe [Detected as GAV: Vobfus.MB (Worm)]
Secret.exe [Detected as GAV: Vobfus.MB (Worm)]
Sexy.exe [Detected as GAV: Vobfus.MB (Worm)]
x.mpeg [empty file]

autorun.inf contains the following data:

[uwltqjpqjxh]
gzupk=lqgmrqqrbap
qdwlllctweangp=spcbbyzrqo
qltmvzvoy=knjjj
ptirmx=wowovqtfvggpobi
[autorun]
urdhqzqqbeanx=xpxkglhjl
tnpxnqazil=apkzwbkyagutzq
fypth=ifzpcchxomrw
gvhzmwbuoc=orwefptecbp
sfaokjjjpxpthtj=1237
vtzjq=7054
mfvnlhphvdljze=354
open=dOUbuox.exe [malware executable]
cllhgp=6641
dmtetp=9073
ACTiON=5110
mafwiruf=rehlobqwgkquqvh
tjvxskdor=apvzhkuckliiux
pyxrgzragjrp=teyvvbesbqzl
uvtpoh=zztct
useAuTopLAy=1
qoszphttyjq=eykbilz
rplgrerq=avfimuuinab
rfeishnidwt=mhsiyosltd
gdmpl=uqahjnayhjqthp
[sqfyudgzycwmt]
pcomnes=njyuknsbl
hkful=cnthafzhiaxgb
koyqytcygawml=epxvcedvtjlg
qltddccquliiki=dilweqwpzvkbfk
ohacluzgwonge=ruljjvl

It attempts to add itself to any zip files that it finds on the system, removable drives and remote shares. It was observed issuing the following command:

"C:Program FilesWinRARRar.exe" a -y -ep -"E:myzip.zip" "%USERPROFILE%Secret.exe"

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Vobfus.MB (Worm)
• GAV: Vobfus.GKTI (Worm)
• GAV: Bredolab.OQI (Trojan)
• GAV: Vobfus.FIJJ (Trojan)
• GAV: Pronny.IJ (Worm)
• GAV: Vobfus.HS (Worm)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.