We’ve added detection for two new malware families using the vulnerability described in SA2286198. The first, Win32/Vobfus, is actually a family of obfuscated worms that has been around since 2009. According to our fellow researcher Marian Radu, who named the family, the name was derived from the fact that the worm is coded in Visual Basic (VB) and is highly obfuscated:

V(isual Basic) + obfuscated = Vobfus

We need to emphasize, however, that the first Vobfus samples that we’ve seen using the shortcut vulnerability have only emerged in the past few days. Previous samples of Vobfus DO NOT exploit the vulnerability. The first Vobfus variant to do so is Worm:Win32/Vobfus.H.

Vobfus and shortcut files have a longstanding relationship: this family has, from the beginning, been using shortcut files as a social engineering technique to get users to run its code. However, these shortcut files DID NOT automatically run. Rather, Vobfus also drops an autorun.inf file to run its copy in the drive if Autorun is enabled (see how to disable Autorun in your Windows computer). New samples of Vobfus.H, however, as we previously mentioned, drop a specially-crafted, malicious shortcut file that exploits the vulnerability discussed in SA2286198. We detect these malicious links as Exploit:Win32/CplLnk.B; the same detection as some of the shortcut files associated with the vulnerability exploited by the Stuxnet family.

The other new malware family that we’ve seen associated with the shortcut vulnerability is Chymine, the dropper component which we’ve seen launched by a specially-crafted, malicious shortcut file that exploits SA2286198. In this case, Trojan:Win32/Chymine.A is launched by a malicious shortcut that we detect as Exploit:Win32/CplLnk.A. It, in turn, drops another trojan we detect as TrojanSpy:Win32/Chymine.A, which we’ve observed to be logging user keystrokes and downloading other malware. Aside from that, it seems to be just another malware that exploits a new attack vector. We’re keeping an eye out for this family and other potential malware that may be using the same vector.

What we’re seeing with the use of this new vulnerability by two other malware families is typical when an exploitable vulnerability is made public: initially, details emerge about a proof-of-concept malware or a targeted attack, then someone releases a public exploit, then the exploit gets incorporated into malware crime kits, and then we begin seeing different families using it.

So what can users do in the meantime? The MMPC has released detection for all of the currently known Stuxnet, Vobfus, and Chymine malware, so make sure that you have the latest definitions if you are using a Microsoft antivirus solution.  If you don’t antivirus protection, consider installing Microsoft Security Essentials. An option to prevent exploitation of the vulnerability is to disable displaying shortcut icons; there’s a Microsoft Knowledge Base Article (2286198) outlining exactly how to do that. And if you suspect that you have a malicious file in your computer, whether or not you think it exploits the vulnerability discussed in SA2286198, we encourage you to send us a sample.

Worm:Win32/Vobfus.H
127f24a7ba42e6f31e9b4044555898fded211de8
5a474fa6e79b80145b06762a5c795f3e197d350a

TrojanSpy:Win32/Chymine.A
42e7a0dba9ddb5ec0101dc26bf6d989834488b7c
bd4c09d2431e31aff6b397e38fc67845174c3d74

-- Francis Allan Tan Seng & Elda Dimakiling