WORM_VOBFUS Infections Not Out of the Picture Yet

As the WORM_VOBFUS story unfolds, new variants are surfacing, including one that connects to a new site and uses Google and MSN to name its dropped files.

We recently reported on the wave of WORM_VOBFUS variants that emerged in the wild last November. We have been monitoring the said threat and found out that its latest variant (detected as WORM_VOBFUS.SMIS) accesses a new URL (http://{random number}.noip.at:443/{random string}) to drop a downloader file that leads to ZBOT and CINJECT malware.

When executed, WORM_VOBFUS.SMIS drops any of these files (porn.exe, secret.exe, and sexy.exe), which in turn downloads the file msn.com (detected as WORM_VOBFUS.SMIT). Note that the filenames of the dropped files use enticing keywords or names of popular sites such as Google and MSN to trick users.

WORM_VOBFUS.SMIT is capable of downloading any of the following files, which leads to ZBOT and CINJECT malware:

  • 1pom.exe
  • 2pom.exe
  • 3pom.exe
  • 4pom.exe
  • 5pom.exe

In other instances, these downloaded files drop a copy of WORM_VOBFUS resulting to another infection. Based on our Smart Protection Network data, there’s an influx of this threat this week as seen in the data below:

From its normal known routine, Trend Micro found that these variants access a new malicious site to download and execute another WORM_VOBFUS variant detected as WORM_VOBFUS.SMIT and saved as msn.com.

WORM_VOBFUS’ Polymorphic Nature Key to Its Persistence

Aside from its capability to spread via drives and network, the persistence of WORM_VOBFUS may be due to its polymorphic capabilities that enable it to add garbage code and modify the code in order generate new variants. Because the malware churn new variants regularly, detection becomes a challenge that result to a cat-and-mouse chase between this worm and antimalware detection and solution. In addition, it also employs names of files and folders in order to trick users into executing the malware instead of the legitimate files/folder it spoofs.

To prevent this threat from the onset, users must disable Windows Autorun feature to prevent WORM_VOBFUS (and other worm) to infect and propagate via drives. Updating systems with the latest security update available is also recommended, as WORM_VOBFUS variants are known to target the dated Windows Shortcut File vulnerability. If readers may recall, this is the same vulnerability exploited by STUXNET attacks in 2010.

To know more about WORM_VOBFUS, below are previous blog entries we’ve published about this threat:

With additional analysis from Threat response engineer Nikko Tamaña

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

WORM_VOBFUS Infections Not Out of the Picture Yet

Read more: WORM_VOBFUS Infections Not Out of the Picture Yet

Story added 18. December 2012, content source with full text you can find at link above.