As the WORM_VOBFUS story unfolds, new variants are surfacing, including one that connects to a new site and uses the names of Google and MSN to label its dropped files.

We recently reported on the wave of WORM_VOBFUS variants that emerged in the wild last November. We have been monitoring the said threat and found out that its latest variant (detected as WORM_VOBFUS.SMIS) accesses a new URL (http://{random number}.noip.at:443/{random string}) to drop a downloader file that leads to ZBOT and CINJECT malware.

When executed, WORM_VOBFUS.SMIS drops any of these files (porn.exe, secret.exe, and sexy.exe), which in turn downloads the file msn.com (detected as WORM_VOBFUS.SMIT). Note that the filenames of the dropped files use enticing keywords or names of popular sites like Google and MSN to trick users that these files are harmless.

WORM_VOBFUS.SMIT is capable of downloading any of the following files, which leads to ZBOT and CINJECT malware:

• 1pom.exe
• 2pom.exe
• 3pom.exe
• 4pom.exe
• 5pom.exe

Read the rest of this entry »