This article contains recommended practices in preventing WORM_VOBFUS infection or reinfection using WFBS. This worm is also known as:
- Trj/CI.A
- Variant.Symmi.6831
- W32.Changeup
- W32/Autorun.worm.aaeh
- W32/VBNA-X
- Win32/VBObfus.GH
- Win32/Vobfus.MD
- Worm.Win32.VBNA.b
To ensure protection from Worm_VOBFUS:
- Go to Security Settings > Servers/Desktops group > Web Reputation > set the Security Level section to Medium. Do this to prevent the malware from downloading new variants of itself or other types of malware. This it will also flag highly suspicious sites.
- Disable the Windows autorun feature. This will prevent users accessing an infected mapped drive to get infected. Refer to Microsoft KB 967715.
- Make sure that all of your machines are fully patched, especially against the MS10-046 vulnerability.
- Enable the SPN Feedback. This will help Trend Micro get copies of still undetected malicious files
- Enable the Scan mapped drives and shared folders on the network for Manual Scan and Scheduled Scans.
- EnableBehavior Monitoring (BM). Make sure that the they are running the latest BM patterns:
- For 64-bit: 1.338.64
- For 32-bit: 1.338.0
WFBS 6.0 does not support 64-bit BM. In order to have this feature, upgrade to WFBS 7.0 SP1 or WFBS 8.0. - Set your WFBS to Smart Scan method to acquire the new patterns that can detect new variants of VOBFUS malware.
- Read the following KB article: Simple Best Practices to enhance protection against malware threats in Worry-Free Business Security/Services (WFBS/WFBS-SVC)
- Optional: For added security, you can use Trend Micro firewall to block WORM_VOBFUS from using Port 8000, 8003, 9004 to communicate with its C&C Server:
- Go to Security Settings > Servers/Desktops group > Firewall > Enable Firewall.
- Choose Advanced Mode > Enable Intrusion Detection System.
- Click Add > Change Action to DENY NETWORK TRAFFIC > type specified ports: “9004,8000,8003” > All IP addresses.
- Click Save.
- Configure the Manual Scan Exclusions to scan Trend Micro folders. It’s possible that the reason you keep getting reinfected is because the dropper positioned itself on folder WFBS do not scan by default:
- Log in on the WFBS console and go to Scans tab > Manual Scan.
- Uncheck Do not scan the directories where Trend Micro products are installed.
- Click Save and run a manual scan.
If you have exclusions on the Real-time Scan, make sure that they are not excluded on the Manual Scan and Scheduled scan.
To enable WFBS to quarantine/collect possible virus/malware during a scan:
- If you have mapped drives, check if the Write access is needed. If not, limit the access to Read Only.
- Set the Real-time Scan settings to use Custom action and change the Probable Malware action to Quarantine.
- On the Manual Scan and Scheduled Scans settings,enable the Scan mapped drives and shared folders on the network.
- Change to Custom action from Probable Malware to Quarantine then click Save.
- Make sure that all Servers/Clients on the Security Settings tab are updated with the latest pattern file and scan engine. Check the offline computers on the list and make sure to turn them ON before running a manual scan.
In case of a reinfection, use either or both methods below to find the infection source of WORM_VOBFUS:
OPTION 1
Via Net Session:
- Click on Start > Run. Type in “cmd” and press ENTER.
- On the command prompt window, type in “Net Session”.
This displays all the users connected to the infected server. Check the timestamp of the malware file and compare it with the time duration of each user connected to the server.
OPTION 2:
Via Owner:
- Arrange the files by Type.
- View by Details.
- Right-click on the current window > Sort by > More > select Owner.
The owner of the files will now be displayed.
To restore hidden folders:
- Unhide the folder/s manually via command prompt with admin privileges.
- Use this command:
attrib -h -r -s [drive:][path][filename] /S /D
Example: attrib –h –r –s z:\*.* /S /D
For related information about this malware, refer to the TrendLabs Security Intelligence Blog for WORM_VOBFUS.