You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Vobfus.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Vobfus.A carries out the following actions:

  • It establishes connections with Chinese websites, from which it attempts to download files, among them, some belonging to an adware program.
  • The websites to which it connects are:
    psim<blocked>ge.cn
    ns1.theimage<blocked>our.net
  • In order to display these websites without any problem, Vobfus.A installs the character packets belonging to Japanese, Chinese and Korean, so that the system could interpret websites in these languages.
  • Its aim is to be able to download files from these websites or even redirect users to malicious websites.

Infection strategy 

Vobfus.A creates a copy of itself with a random name and an EXE extension in the folder Documents and Settings of the user that has logged in.

Additionally, it creates the following files in the removable drives:

  • two copies of itself with hidden attribute: one with an EXE extension and the other with a SCR extension.
  • an AUTORUN.INF file in the root directory, so that the copies of the worm are automatically run when they are accessed.

On the other hand, it creates several shortcuts in the removable drives, which point to the file with the SCR extension, which is a copy of the worm. The names of the shortcuts are:

  • Documents
  • Music
  • New Folder
  • Passwords
  • Pictures
  • Video

 

Vobfus.A creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    mgqih = C:\documents and settings\    %username%\%copy of the worm%.exe
    where %username% is the username of the user that has logged in.
    By creating this entry, Vobfus.A ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage, 932, c_932.nls
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage, 936, c_936.nls
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage, 949, c_949.nls
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage, 950, c_950.nls
    By creating these entries, the characters needed to interpret pages in a language different from the usual are loaded in the system.
    The 932 code belongs to Japanese, 936 to Chinese, 949 to Korean and 950 to traditional Chinese.

 

Vobfus.A modifies the entry of the Windows Registry, in order to hide the files with hidden attribute, and prevent users from viewing the copies of itself:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 1
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 0

Means of transmission 

Vobfus.A spreads through removable drives, like USB keys. In order to do so, it creates the following files in these drives:

  • two copies of itself with hidden attribute: one with an EXE extension and the other with a SCR extension.
  • an AUTORUN.INF file in the root directory, so that the copies of the worm are automatically run when they are accessed.

several shortcuts which point to the file with the SCR extension, which is a copy of the worm. The names it uses for the shortcuts are similar to those of the usual Window folders, like Music, Pictures or Video, among others.

  • The following image belongs to what the user will view when accessing the removable drives:

Further Details  

Vobfus.A is 49,152 bytes in size.