Trojan.Win32.Vobfus.paa

by alexander.adamov on May 17th, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 237568 bytes
Language: Visual Basic
MD5: 018A76D10A668BF3F403A5FC31A47CD8
SHA1: DB8834E418CC90C36CEC54AD10A3625FFE92C654

Summary

Trojan.Win32.Vobfus.paa is a Trojan program which infects files downloaded from the Internet without user’s knowledge and consent and launches them for execution. It possesses worm-like features: the Trojan can spread via portable computer media as well as shared network resources.

Technical Details

Installation

Once launched, the Trojan copies itself to the following directory as:

%USERPROFILE%\<rnd>.exe

where <rnd> is a random sequence of the Latin alphabet letters (for example, "kiuqe" or "lbgim").

The Trojan modifies itself to counteract antivirus program signature analyzers.

To automatically run itself each time Windows is booted, the following registry key is added:

 [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<rnd>" = "%USERPROFILE%\<rnd>.exe /c"

It then is launched for execution.

Payload

The Trojan connects to the intruder server:

ns1.spansearcher.net

and then downloads other malicious programs to the victim machine. Downloaded files are saved as:

%USERPROFILE%\<rnd>.com

where <rnd> is a random sequence of the Latin alphabet letters (for example, "juakep").

Once the download process is successfully completed, those files are launched for execution. When the description was created, the following file was downloaded from the server mentioned above: 20480 bytes in size; MD5: B020402E73A4CBC0DDD55116D4EF9660, SHA1: D1EBA785BB35BAA442AD7331CA6A4E35B1E4211A.

When executed, the Trojan sets the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

Files with the hidden and system attributes are not displayed in the Windows Explorer:

[HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate" = "1"

Propagation

The Trojan copies itself to all shared network and removable drives connected to the infected computer. The Trojan modifies itself to counteract antivirus program signature analyzers. It creates the following copies of itself:

.lnk
.exe
.scr

If it is a shortcut file (.lnk-extension), the worm reads the file name the shortcut points to and infects the file

in the catalog:

<infected volume name>:\<rnd_1>.exe
<infected volume name>:\RCX<rnd_2>.tmp
<infected volume name>:\RCX<rnd_3>.tmp
<infected volume name>:\Secret.exe
<infected volume name>:\Sexy.exe

where <rnd> is a random sequence of the Latin alphabet letters (for example, "pujej"); <rnd_2>, <rnd_3> are random two-digit hexadecimal numbers.

The Trojan searches the root folder of the infected drive for files and folders. It then copies itself to the same root folder using the name of the files and folders it discovers. The hidden and system attributes are assigned to those files. The user can see only the Trojan copies when opening the root folder of the infected drive by the Windows Explorer.

A zero byte file is created and stored on the infected drive.

<infected volume name>:\x.mpeg

The Trojan creates a file in the root folder of the infected drive:

<infected volume name>:\autorun.inf

The file runs each time the User opens the infected disk using the Windows Explorer. The hidden, system and read-only attributes are assigned to the file.

Removal Recommendations

  1. Using Task Manager (How to End a Process with the Task Manager) terminate the Trojan process.
  2. Using Task Manager (How to End a Process with the Task Manager) terminate the process associated with the Trojan copy as well files downoaded by the Trojan:
  3. <rnd>.exe
    <rnd>.com

  4. Delete the registry keys (How to Work with System Registry):
  5. [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden" = "0"

    [HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
    "NoAutoUpdate" = "1"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "<rnd>" = "%USERPROFILE%\<rnd>.exe /c"

  6. Delete files:
  7. %USERPROFILE%\<rnd>.exe
    %USERPROFILE%\<rnd>.com
    <infected volume name>:\<rnd_1>.exe
    <infected volume name>:\RCX<rnd_2>.tmp
    <infected volume name>:\RCX<rnd_3>.tmp
    <infected volume name>:\Secret.exe
    <infected volume name>:\Sexy.exe
    <infected volume name>:\x.mpeg
    <infected volume name>:\autorun.inf

  8. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  9. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  10. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).