Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    6:59 am (UTC-7)   |    by

    A wave of WORM_VOBFUS variants has recently emerged with some variants even spreading through Facebook. But based on initial analysis, this crop of WORM_VOBFUS presents no new routines. For good measure, users are encouraged to observe best practices such as disabling Autorun feature and updating their antivirus program with the latest pattern, just to name a few.

    What You Need to Know About WORM_VOBFUS

    WORM_VOBFUS takes advantage of Windows Autorun feature to drop copies onto removable and mapped network drives. They also arrive as downloaded or dropped files of other malware family. Users may unknowingly download WORM_VOBFUS variants when visiting malicious sites.

    These variants were also reported to be spreading on Facebook, usually using (but not limited to) sexually-suggestive file names to pique users’ interest.

    The VOBFUS malware drops copies of itself in removable drives using the file names of the user’s folders and files with the following extensions:

    • .avi
    • .bmp
    • .doc
    • .gif
    • .jpe
    • .jpg
    • .mp3
    • .mp4
    • .mpg
    • .pdf
    • .png
    • .tif
    • .txt
    • .wav
    • .wma
    • .wmv
    • .xls

    This worm hides these files mentioned above as original files and folders. Thus, users may think that they are clicking normal files or folders, while in fact these are WORM_VOBFUS variants in disguise. Like your typical worm, it drops an AUTORUN.INF to automatically execute the file when the drive is accessed.

    To know if system is infected, users must check for the following files:

    • {drive letter}:\Passwords.exe
    • {drive letter}:\Porn.exe
    • {drive letter}:\Secret.exe
    • {drive letter}:\Sexy.exe

    This worm connects to a remote site where it downloads and executes other malware. Specifically, it connects to the following sites:

    • http://{random number}{random characters}?{random character}
    • http://{random number}{random characters}/?{random character}

    Once the file is downloaded it is saved as %User Profile%\ (detected as TSPY_BANCOS.JFB). However, some sites where this malware connects to are already inaccessible.

    These WORM_VOBFUS variants were also observed to connect to a command-and-control (C&C) server, possibly to communicate with a remote malicious user. Below are some of the C&Cs that it connects to:

    Based on our analysis, this roster of WORM_VOBFUS variants currently have no new routines compared to previous ones.

    Using feedback from Smart Protection Network, here are the most affected countries as of Nov. 27:

    Country Number of Infections
    USA 243
    India 43
    Brazil 27
    Saudi Arabia 23
    Thailand 23

    Trend Micro users are encouraged to update their software with the latest pattern. Trend Micro Smart Protection Network also blocks the related URLs, while Trend Micro Deep Discovery detects WORM_VOBFUS network traffic. Users are also encouraged to disable Windows Autorun feature. For more information about WORM_VOBFUS, you can consult its Web Attack entry here.

    We are currently further looking into this threat. We will update this blog entry for any developments.

    Update as of November 28, 2012 2:27 PM PST

    WORM_VOBFUS variants also connect to the following remote sites to download and execute TSPY_BANCOS variants:

    • http://{random number}{port}/{random characters}?{random character}
    • http://{random number}{port}/{random characters}?{random character}
    • http://{random number}{port}/{random characters}?{random character}

    The said domains used ports 80, 8080, 443, and 9004 possibly to evade detection and easy removal from the infected systems. Moreover, since VOBFUS has polymorphic capabilities, it can easily add and modify garbage code to generate new variants.

    Trend Micro blocks all related URLs as well as detects the VOBFUS variants as:

    Despite being an old threat, VOBFUS still manages to infect systems. As such, users are strongly advised to keep their systems and security software up-to-date.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • JEdwards

      To David Bradley or anyone else: we were just recently infected with this worm as well. How did you determine that the worm was spread via a DocuSign email? We have certain suspicions, but wondering if you were able to use any specific tools to identify its source?

    • Rick Zimmerman

      I am a Trend Micro Patner. I was able to track this down and found it talking to I belive this is all coming from China. Also I seeing a good sized bot net made up of tons of US based computers. I belive that all of the files it hides it trys to upload to china. I am told Trend Micro will be releasing new pattern files today to try remove the new versions of this. The problem is every time you restart it downloads a new version of the worm. I am not sure how Trend Micro or any AV company is going to get ahead of this.
      Also I checked all of the AV vendors this morning and no one has anything to stop it.
      This is a true Zero Day Treat.

    • ken edwards

      we were recently hit by this bug or one of its variants. all of our systems are running office scan with the latest patterns. whey didnt the trend software catch this? it took hundreds of shared folders offline across our enterprise. i expected better of trend which offered no protection and even made the situation worse with massive quarantines.

    • David Bradley

      Just got hammered – Trend Micro detected it but did nothing to stop VOBFUS or BANCOS. Virus arrived disguised as a DocuSign document from human resources. Since we use DocuSign, our users were susceptible.

    • Ben Brown

      We got it (running MS Forefront), and it got to our network shares too.

    • Casey S

      Another disappointed Trend Micro (WFBS Advanced) customer here. Brought down the entire network for a day while we removed the worm from systems.

      • Rick Zimmerman

        This is a Zero Day attack. I don’t see any other product saving you from this.

        • Sean

          I’ve been hit using GFI’s VIPRE Business. Lucky it happened at the end of the day, but it was a long night for me…

    • bart kincaid

      We just got hit really bad with it this week, and we also run OfficeScan. The funny thing is that it propagated through our network shares very quickly, and later that day, we get new updates from Trend, and only then did our AV scans start seeing and containing the outbreak. Very frustrating to see this article claim that Trend is/was “aware”, when clearly this is not entirely accurate. My guess is that enough customers were calling tech support over the past several days about this getting past OfficeScan, and thus the update was pushed.

      • Rick Zimmerman

        I have been reporting and uploaded the new version over the last two weeks.

    • Tim Martin

      We saw tens of infections of this new variant and were running a fully updated OfficeScan server. I’m curious – is there any word as to how this “old threat” managed to infect the “protected” systems?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice