Revisiting Vobfus Worm (Mar 8, 2013)

The Dell Sonicwall Threats Research team came across a sample appearing to be a new variant of the Vobfus family. Vobfus is a family of Visual Basic based worm that spreads through removable devices & network shares and is also known for downloading & executing other malware family binaries. The creators of this malware family have added many new features since the last time we published a SonicAlert on this family here.

Infection Cycle:

• Upon execution, the worm performs the following DNS queries to download the latest version of itself from a remote server:
  
• It downloads the latest Vobfus variant in an encrypted form. This is a new feature found in the recent Vobfus samples as the initial variants of Vobfus downloads were not encrypted.

Upon successful download, it decrypts and executes the downloaded file.

• It attempts to download other malware family executables which in our case belonged to Zeus and FakeAV family. These executables are downloaded in an unencrypted form.
• The downloaded files are dropped at the following locations on the filesystem:
• %USERPROFILE%muoeyus.exe
• %USERPROFILE%vuvuv.exe
• %USERPROFILE%3s8.exe
• %TEMP%2724921.exe
• The worm adds the following registry key to enable startup after reboot:
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "muoeyus" "%USERPROFILE%muoeyus.exe /k"
• As seen in the previous variants, it drops multiple copies of itself to any external drives or network shares that are attached to the infected system using following filenames:
• Passwords.exe
• Porn.exe
• Secret.exe
• Sexy.exe
• x.mpeg
• Autorun.inf
• Muoeyus.exe

The following image shows the dropped files.

The worm also attaches itself to any ZIP or RAR files it finds on the system, removable drives and network shares.

• It also hides all the folders present in the external drive and drops an executable with the same name and a disguised folder icon. This will mislead the user into double clicking the malicious executable. This feature is normally attributed to the family of Autorun Worms. Recently, Vobfus has also started to use this technique as seen here:
• The newer variants of Vobfus also contains a series of Anti-Debugging, Anti-Virtualization and Anti-Sandbox checks, seen for the first time in Vobfus family.
• It uses GetModuleHandle API call to check for the presence of debuggers, sandbox, and Avast Antivirus.
• It then checks for the presence of Virtualization software such as VMWare, VirtualBox, and QEMU by querying the system registry.
• The worm disables the Windows AutoUpdate feature on the infected system. It also patches the first byte of TerminateProcess and TerminateThread API with C3 (RET Instruction) to prevent any external processes from terminating the running instance of the malware:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Vobfus.SB (Worm)
• GAV: Suspicious#vobfus (Worm)
• GAV: Suspicious#vobfus_2 (Worm)
• GAV: Zbot.FZB (Trojan)