Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    VOBFUS malware is known for its polymorphic abilities, which allow for easy generation of new variants. We recently came across one variant that replaces these abilities for one never seen in VOBFUS malware before—the ability to “speak” several languages.

    Infection in Different Languages

    Just like other VOBFUS variants, this new variant, detected as WORM_VOBFUS.JDN, propagates by dropping copies of itself in removable drives. Previously, variants used these eye-catching file names in order to convince users to click on the dropped file:

    • passwords.exe
    • porn.exe
    • secret.exe
    • sexy.exe

    WORM_VOBFUS.JDN, on the other hand, takes it one step further by dropping files with files name that depend on the infected computer’s OS language and location. For example, a computer with English as the OS language may receive any of the following files:

    • I love you.exe
    • Naked.exe
    • Password.exe
    • Sexy.exe
    • Webcam.exe

    Whereas a computer that uses Bahasa Indonesia may receive the following files:

    • Aku mencintaimu.exe
    • kata sandi.exe
    • seksi. exe
    • Telanjang.exe

    This variant also uses file names written in these languages:

    • Arabic
    • Bosnian
    • Chinese
    • Croatian
    • Czech
    • French
    • German
    • Hungarian
    • Italian
    • Korean
    • Persian
    • Polish
    • Portuguese
    • Romanian
    • Slovak
    • Spanish
    • Thai
    • Turkish
    • Vietnamese

    While the languages may differ, they all translate to I love you, Naked, Password, and Webcam.

    Malware Going Local

    Infection by way of “localized” threats could be seen as one way for cybercriminals to transform unsuspecting users into victims. Seeing a file or a notification written in their language might pique users’ interest more than seeing one written in English. Users may also find a false sense of security in these “localized” files and notifications as they might view these as less suspicious than other files.

    Police ransomware is one threat that uses this particular technique. These malware pose as the local law enforcement agency of the victim’s country to urge users to pay the fee for their locked computers. For example, a French victim will receive a notification from Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI. There have even been instances wherein the ransomware will use an audio clip in the victim’s language.  Posing as local law enforcement agencies adds a sense of legitimacy to the claim and may further convince victims to pay the fee.

    We have also seen file-encrypting ransomware use this approach. These malware locks computers and encrypts files until the victim pays a fee. We came across two incidents that targeted Turkish and Hungarian users. The spam containing the malware and the notification were written in their language.

    Cybercriminals will do anything or use any technique possible to gain new victims. We advise users to avoid clicking links or files unless these can be verified. For ransomware incidents, since the files cannot be decrypted (aside from perhaps paying the fee), it’s also good practice to constantly back up files in case of instances such as this one. Trend Micro blocks all threats mentioned in this entry.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice