The main objective of VobfusLNK.A is to spread and affect as many computers as possible.
One of the means it uses to spread are the removable devices. It creates the following files in them:
- several shortcuts with the following names, which Windows uses by default to name some folders:
- New Folder
- other shortcut to a text file with the name Passwords, which may spark users' curiosity and convince them to run it.
- If users run any of these shortcuts, a copy of the worm will be run.
- several files, which are copies of itself, with an EXE and SCR extension. They are created as system files and with hidden attributes. Therefore, they cannot be viewed.
- an AUTORUN.INF file, which points to a copy of the worm.
- several shortcuts with names like zFW, zkX o zLM, which are specially designed to exploit a Windows vulnerability which affects shortcuts. Concretely, the vulnerability called MS10-046 (CVE-2010-2568).
- If the computer is vulnerable, the library xxx.DLL is automatically downloaded and run without clicking on the malicious shortcuts, as this vulnerability allows remote code execution.
- A removable device infected by VobfusLNK.A would have the following appearance:
Note: Microsoft has already released the security patch that solves this vulnerability. If you have a Windows 2008/7/Vista/2003/XP computer, it is recommended to download and apply the security patch for this vulnerability. Click here to access the web page for downloading the patch.
VobfusLNK.A creates a random file in the Documents and Settings directory of the user that has logged in, This file is a copy of the worm.
Additionally, VobfusLNK.A creates an AUTORUN.INF file in the mapped drives and in the removable devices that are connected to the computer, in order to ensure its distribution.
VobfusLNK.A creates the following entry in the Windows Registry, in order to be automatically run whenever Windows is started:
C:\Documents and Settings\%username%\%random name%.exe
VobfusLNK.A modifies the following Windows Registry entry:
ShowSuperHidden = 1
It changes this entry to:
ShowSuperHidden = 0
Some of the copies and files of VobfusLNK.A have hidden and system file attributes. By modifying this entry, which hides the system files, it ensures that the files of the worm are also hidden.
Means of transmission
VobfusLNK.A spreads through removable devices, like USB keys, and through mapped drives.
VobfusLNK.A is 113,664 bytes in size.