SonicWALL Security Products Partners | Contact Sales 1-800-509-1265

 •   • 

ES Blogs

Vobfus Worm Spreads via Removable and Remote Drives

November 28, 2012
By Neil King

The Dell SonicWALL Threats Research Team observed an increase in the activity of a Visual Basic-based Worm that spreads through removable drives and network storage devices. Identified by Microsoft as the Vobfus Worm in 2009, it can also change Windows settings, and may download other malware.

The Vobfus Worm drops copies of itself under the root folder of each removable drive attached to the system. Then it exploits the Windows Autorun functionality so that the drive is accessed by a machine supporting Autorun, and the malware is automatically launched. Vobfus has also been known to drop copies of other variants of itself on the target system.

According to Microsoft,Vobfus spreads to remote drives by dropping copies of the Worm under the root folder of each writeable remote drive. It also creates shortcuts on the remote drive that have the same name as folders that already exist in the root directory. These shortcuts link directly to worm executables, so once the user clicks the link, the worm will copy itself onto the remote drive.

In addition to spreading via removable and remote drives, Vobfus also attempts to add itself to any zip files that it finds on the system. If you are a current customer with a valid subscription, SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Vobfus.MB (Worm)
  • GAV: Vobfus.GKTI (Trojan)
  • GAV: Bredolab.OQI (Trojan)
  • GAV: Vobfus.FIJJ (Trojan)
  • GAV: Pronny.IJ (Worm)
  • GAV: Vobfus.HS (Worm)
  • GAV: Vobfus.MB (Worm)

Learn more:


Microsoft Malware Protection Center.