CERT-MU :Vulnerability

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Virus Alert VA-2010-18

Worm Win32/Vobfus.U

Date Published: July 29, 2010

Description

It has been observed that a highly obfuscated visual basic (VB) compiled network aware worm family dubbed Vobfus( Visual Basic Obfus cated) is spreading

The propagate through removable and shared dries by dropping traditional autorun.inf files and crafted shortcut files( .LNK files) pointing to the dropped worm copy. It is also reported that the dropped LNK files are exploiting the recently disclosed zero day vulnerability ( CVE-2010-2568 , CIVN-20210-169 ) wherein Windows which fails to handle short cut files.

Once successfully installed, the worm pulls further malware(Hiloti, Alutreon, Renos, Virut) on to the victim system.

Aliases:

Worm/VB.12.W (AVG) Win32.HLLW.Autoruner.25089 (Dr.Web), Downloader-CJX.gen.f (McAfee),Worm.VBNA.Gen.3 VirusBuster), W32.Changeup.C (Symantec)
Upon execution the variants:

Drops the following copies of itself and adds as
windows services with names MRXCLS and MRXNET.

%UserProfile%\[RANDOM FILE NAME].exe

Attepmts to spread by dropping copying itself to
removable and network shared drives as the following files:

%DriveLetter%\[RANDOM FILE NAME].exe
%DriveLetter%\[RANDOM FILE NAME].scr

Creates the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\"[RANDOM FILE NAME]" =
"%UserProfile%\[RANDOM FILE NAME].exe"

Modifies the following registry key to hide itself:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\
"ShowSuperHidden" = "0"

Attempts to contact the following remote hosts:

Codeconline . net
imagehut2 .cn
msdip .com
peazoom . com
thethoughtzone .net
usezoom . com
vrera . com
zoomslovenia . com

Attempts to contact the following domain to
download further malware or update itself

ns[ONE NUMBER].mysearchhere . net
ns[ONE NUMBER].searchhereonline . net
ns[ONE NUMBER].theimageparlour . net
ns[ONE NUMBER].thepicturehut . net

Spreads by copying itself to removable drives
as the following files:

%DriveLetter%\autorun.inf
%DriveLetter%\x.exe
%DriveLetter%\New Folder.lnk
%DriveLetter%\Passwords.lnk
%DriveLetter%\Documents.lnk
%DriveLetter%\Pictures.lnk
%DriveLetter%\Music.lnk
%DriveLetter%\Video.lnk
%DriveLetter%\[RANDOM FILE NAME].dll
%DriveLetter%\[RANDOM FILE NAME].lnk
%DriveLetter%\[THREE RANDOM CHARACTERS].dll
%DriveLetter%\[THREE RANDOM CHARACTERS].lnk%DriveLetter%\
[EXISTING FOLDER NAME].lnk

Countermeasures

Delete files and the registry entries made by the Vobfus worm mentioned above
Install and maintain updated anti-virus software at gateway and desktop level
Apply appropriate patches as mentioned in CERT-MU vulnerability note (CERT-MU Vulnerability Note VN-2010-15)
Disable autoplay
Exercise caution while using USB devices.

Use caution when opening attachments and accepting file transfers.

References

http://www.symantec.com/security_response/writeup.jsp?docid=2010-072915-5524-99&tabid=2

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

E-mail:

Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
9th Floor, Stratton Court
La Poudriere Street
Port Louis