virus logo Virus

W32/VBObfus.N!tr

description-logoAnalysis


  • Upon execution it drops the following files:
    • c:\undefinedUserProfileundefined\baxer.com with approximate filesize of 25KB
    • c:\undefinedUserProfileundefined\jeuuf.exe with approximate filesize of 160KB
    • c:\undefinedUserProfileundefined\start1.exe with approximate filesize of 160KB
    • c:\undefinedUserProfileundefined\eelo.com with approximate filesize of 25KB
    • c:\undefinedUserProfileundefined\foayoh.com with approximate filesize of 25KB
    • c:\undefinedUserProfileundefined\start1.exe with approximate filesize of 160KB
    • c:\undefinedUserProfileundefined\toehey.exe with approximate filesize of 82KB
    • c:\undefinedUserProfileundefined\vioziez.exe with approximate filesize of 160KB
    • C:\Documents and Settings\All Users\Application Data\{16_char_filename}\{16_char_filename}.exe with approximate filesize of 345KB
    • c:\undefinedUserProfileundefined\Local Settings\Application Data\{d24e742d-a118-22f1-c785-3d16a7242be0}\@ with approximate filesize of 3KB
    • c:\undefinedUserProfileundefined\Local Settings\Application Data\{d24e742d-a118-22f1-c785-3d16a7242be0}\L with approximate filesize of 1KB
    • c:\undefinedUserProfileundefined\Local Settings\Application Data\{d24e742d-a118-22f1-c785-3d16a7242be0}\n with approximate filesize of 58KB
    • c:\undefinedUserProfileundefined\Local Settings\Application Data\{d24e742d-a118-22f1-c785-3d16a7242be0}\U with approximate filesize of 1KB
  • The files are mostly detected as W32/VBObfus.N!tr or W32/VBKrypt.CA!tr.

  • The following are the MD5 hashes based on the original and dropped/downloaded files:
    • \545a6e160b1b6aa5e3f51eae8e7c321 : original malware file.
  • The malware applies the following registry modifications:
    • HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32
      • @ = "\\.\globalroot\systemroot\Installer\{d24e742d-a118-22f1-c785-3d16a7242be0}\n."
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
      • ShowSuperHidden = 00000000
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • jeuuf = "c:\undefinedUserProfileundefined\jeuuf.exe \u"

      This registry corresponds to an autostart pointed out by windows for every logon of the current user.

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
      • NoAutoUpdate = 00000001
  • The malware has been observed to connect to a remote site with the following detail(s):
    • 111.74.{Removed}.147:27000
    • 116.255.{Removed}.9:80
  • The malware uses a folder icon or a music file to conceal itself.

  • The malware also attempts to download and install a FakeAV coined as "Live Security Platinum".


    recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extreme
    FortiClient
    Extended
    FortiMail
    Extended
    FortiSandbox
    Extended
    FortiWeb
    Extended
    Web Application Firewall
    Extended
    FortiIsolator
    Extended
    FortiDeceptor
    Extended
    FortiEDR

    Version Updates

    Date Version Detail
    2024-03-11 92.02356
    2024-02-05 92.01302
    2024-01-08 92.00462
    2023-12-22 91.09963
    2023-12-21 91.09910
    2023-12-10 91.09587
    2023-11-26 91.09153
    2023-10-18 91.07987
    2023-10-10 91.07737
    2023-09-26 91.07317
    ID 2606099
    Released Apr 02, 2011
    Description
    Updated    		 Jul 13, 2012
    Aliases W32/VBKrypt.CA!tr, VBObfus.m trojan, Win32/AutoRun.VB.AXF, Trojan.Win32.VB.bwzw
    Platform Profile Win32 file format / PE 32 bit