Win32/Vobfus is a family of worms that spreads via removable drives and downloads other malware, and a family that is causing people a lot of pain lately. Vobfus was initially discovered in September 2009 and became prevalent with its use of the MS10-046 .LNK vulnerability. The .LNK vulnerability has also been used by Chymine, Sality, and Zbot, though it is no longer used by Vobfus.

The name Vobfus comes from the characteristics that these worms are Visual Basic and obfuscated. Vobfus is a Visual Basic malware compiled either in p-code (pseudo code) or native code (see this KB for information about p- and native-codes). The obfuscation of the malicious payload of Vobfus started with simple string manipulation, and it has evolved to a more complex string decoding. The following are some examples of polymorphic strings building used by different variants of Vobfus:

Vobfus code examples

Figure 1 Vobfus code examples

Vobfus is downloaded by other malware; currently it's being downloaded by Win32/Beebone downloaders. Based on our observations, Beebone variants then download other variants of Vobfus, creating an infection cycle that means where you see one of these families, you'll often see the other. But more about this later.

Beebone is a family of Visual Basic compiled trojan downloaders that is known to download threats from the following families, listed in order of prevalence observed over the past month: 

Vobfus spreads via removable drives and network mapped drives. It copies itself to these drives with a random name, or not-so-random file name such as:

  • passwords.exe
  • porn.exe
  • secret.exe
  • sexy.exe
  • subst.exe
  • video.exe

The "autorun.inf" file accompanying the Vobfus worm file is detected as VirTool:INF/Vobfus.gen.  

Vobfus copies itself to the %userprofile% folder with a random name, or a not-so-random name, as previously listed. It also creates a runkey to ensure it runs every time Windows starts. Finally, Vobfus contacts a C&C server to obtain encrypted instructions on where to download Beebone; Beebone subsequently downloads Vobfus, and a number of other threats.

So, to recap, where Vobfus is detected, we often find Win32/Beebone too; thus exists the cyclical relationship between Vobfus and Beebone, the two threat families that are intrinsically related. This cyclical relationship between Beebone and Vobfus downloading each other is the reason why Vobfus may seem so resilient to antivirus products. Vobfus and Beebone can constantly update each other with new variants. Updated antivirus products may detect one variant present on the system; however, newer downloaded variants may not be detected immediately. A typical self-updating malware family that just updates itself can be remediated once it is detected, because once removed from the system it cannot download newer versions of itself. In the case with Vobfus, even if it is detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus. The following diagrams illustrate this more clearly.

Vobfus stage 1

Vobfus stage 2

Vobfus stage 3

Vobfus stage 4

In a network environment with lots of mapped network usage or data-sharing via removable drives, Vobfus can spread by copying itself and an autorun.inf file in the infected drive. In the wild, we have observed that Vobfus maintains a very successful removable-drive infection rate, thus supporting its spreading.

Furthermore, because of all the companion malware families that are downloaded by Beebone, the cumulative side-effects of all the malware families are present in infected machines. We recommend you refer to the encyclopedia entries for each of these families for more information on the effects these malware have on your machine, and for specific remediation advice.

You might consider the following guidelines to help prevent being infected with Vobfus and Beebone:

  • One infection vector is drive-by download, so use caution when clicking external links, and keep your browser and all other installed software up to date to help prevent software exploits
  • Vobfus is primarily downloaded by Beebone or spread via removable drives. A possible method of prevention is disabling autorun functionality; see this KB for more details on how to do this

And of course, as always, using an up-to-date complete antivirus solution such as Microsoft Security Essentials will help prevent many malware infections.

Hyun Choi
MMPC