Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    As the WORM_VOBFUS story unfolds, new variants are surfacing, including one that connects to a new site and uses the names of Google and MSN to label its dropped files.

    We recently reported on the wave of WORM_VOBFUS variants that emerged in the wild last November. We have been monitoring the said threat and found out that its latest variant (detected as WORM_VOBFUS.SMIS) accesses a new URL (http://{random number}.noip.at:443/{random string}) to drop a downloader file that leads to ZBOT and CINJECT malware.

    When executed, WORM_VOBFUS.SMIS drops any of these files (porn.exe, secret.exe, and sexy.exe), which in turn downloads the file msn.com (detected as WORM_VOBFUS.SMIT). Note that the filenames of the dropped files use enticing keywords or names of popular sites like Google and MSN to trick users that these files are harmless.

    WORM_VOBFUS.SMIT is capable of downloading any of the following files, which leads to ZBOT and CINJECT malware:

    • 1pom.exe
    • 2pom.exe
    • 3pom.exe
    • 4pom.exe
    • 5pom.exe

    In other instances, these downloaded files drop a copy of WORM_VOBFUS resulting to another infection. Based on our Smart Protection Network data, there’s an influx of this threat this week as seen in the data below:

    From its normal known routine, Trend Micro found that these variants access a new malicious site to download and execute another WORM_VOBFUS variant detected as WORM_VOBFUS.SMIT and saved as msn.com.

    WORM_VOBFUS’ Polymorphic Nature Key to Its Persistence

    Aside from its capability to spread via drives and network, the persistence of WORM_VOBFUS may be due to its polymorphic capabilities that enable it to add garbage code and modify the code in order generate new variants. Because the malware churn new variants regularly, detection becomes a challenge that result to a cat-and-mouse chase between this worm and antimalware detection and solution. In addition, it also employs names of files and folders in order to trick users into executing the malware instead of the legitimate files/folder it spoofs.

    To prevent this threat from the onset, users must disable Windows Autorun feature to prevent WORM_VOBFUS (and other worm) to infect and propagate via drives. Updating systems with the latest security update available is also recommended, as WORM_VOBFUS variants are known to target the dated Windows Shortcut File vulnerability. If readers may recall, this is the same vulnerability exploited by STUXNET attacks in 2010.

    To know more about WORM_VOBFUS, below are previous blog entries we’ve published about this threat:

    With additional analysis from Threat response engineer Nikko Tamaña

    Update as of Dec. 19, 2:54 AM, PST

    Based on our further investigation, the final payload of WORM_VOBFUS.SMIT is not limited to ZBOT and CINJECT. We found instances that the infection leads to other malware families, including TSPY_FAREIT variants.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • Rick Zimmerman

      I have two new WORM_VOBFUS variants to summit to Trend today. Also another possible Zbot. Big thanks to Trend for working fast to keep up with this treat.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice