VBObfus

This page shows details and results of our analysis on the malware VBObfus

Overview

This description is for a Downloader Trojan, which when executed, could further download more malicious components from the web and install them on the victims machine.

The characteristics of this downloader in regards to file names, URLs accessed, files downloaded etc. will differ, depending the way in which the attacker had configured it. Hence, this is a general description.


Minimum DAT

6086 (2010-08-26)

Updated DAT

6310 (2011-04-08)

Minimum Engine

5400.1158

File Length

varies

Description Added

2010-08-26

Description Modified

2011-04-08

Malware Proliferation

Characteristics

When executed, this malware creates the following files:

  • %UserProfile%\[random].exe

Note:

  • The MD5 of the malware dropped in the above location keeps changing eveytime the malware is executed
  • %UserProfile% is a variable location and refers to the user's profile folder, e.g.  C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP)

The malware also drops copies of itself in any inserted usb disk, along with several .lnk files pointing to this executable. Existing folders are randomly selected and made hidden, with .lnk files created with folder icons to mimick existing folders.

The malware then creates the following registry entries:

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
    Data: "mbvoj.exe" = "%userprofile%\[random].exe"

The above registry entry ensures that the malware executes on Windows Startup.

  • Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 
    Data: "ShowSuperHidden" = 00, 00, 00, 00

The above registry entry ensures that the hidden files and folders and not displayed in Windows Explorer.

Connections may be made on the following ports*:

  • port 8002
  • port 8001
  • port 8000
  • port 80
  • port 443
  • port 80
  • port 80
  • port 3128
  • port 47221

*Other port communication may also be possible with newer variants.

The malware attempts to connect to the following URLs to download additional malware:

  • ns1.thepicture[removed].net
  • bert[removed].com
  • ns[removed]3.com

Symptoms

  • Presence of files and registry entries mentioned
  • Unpexpected connections to the above mentioned Domains
  • Presence of the following autorun.inf file on the root of removable and fixed drives:

 

Method of Infection

This malware spreads by copying itself to network shares and to removable devices, along with an Autorun.inf.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the Autorun.inf file could cause automatic execution of the worm.

This malware may also be recieved under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

 

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants