Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Best practices in preventing Worm_VOBFUS infection using Worry-Free Business Security (WFBS)

    • Updated:
    • 5 Jun 2018
    • Product/Version:
    • Worry-Free Business Security Services 5.7
    • Worry-Free Business Security Services 6.1
    • Worry-Free Business Security Services 6.2
    • Worry-Free Business Security Services 6.3
    • Worry-Free Business Security Services for Dell 5.6
    • Worry-Free Business Security Standard/Advanced 10.0
    • Worry-Free Business Security Standard/Advanced 7.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • Windows 2003 Enterprise
    • Windows 2003 Home Server
    • Windows 2003 Server R2
    • Windows 2003 Small Business Server
    • Windows 2003 Small Business Server R2
    • Windows 2003 Standard
    • Windows 2008 Enterprise
    • Windows 2008 Essential Business Server
    • Windows 2008 Server Foundation
    • Windows 2008 Server R2
    • Windows 2008 Small Business Server
    • Windows 2008 Standard
    • Windows 2011 Small Business Server Essentials
    • Windows 2011 Small Business Server Standard
    • Windows 2012 Enterprise
    • Windows 2012 Server Essentials
    • Windows 2012 Web Server Edition
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows Mobile 5 Pocket PC
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Home
    • Windows XP Professional

This article contains recommended practices in preventing WORM_VOBFUS infection or reinfection using WFBS. This worm is also known as:

  • Trj/CI.A
  • Variant.Symmi.6831
  • W32.Changeup
  • W32/Autorun.worm.aaeh
  • W32/VBNA-X
  • Win32/VBObfus.GH
  • Win32/Vobfus.MD
  • Worm.Win32.VBNA.b

To ensure protection from Worm_VOBFUS:

  1. Go to Security Settings > Servers/Desktops group > Web Reputation > set the Security Level section to Medium. Do this to prevent the malware from downloading new variants of itself or other types of malware. This it will also flag highly suspicious sites.
  2. Disable the Windows autorun feature. This will prevent users accessing an infected mapped drive to get infected.  Refer to Microsoft KB 967715.
  3. Make sure that all of your machines are fully patched, especially against the MS10-046 vulnerability.
  4. Enable the SPN Feedback. This will help Trend Micro get copies of still undetected malicious files
  5. Enable the Scan mapped drives and shared folders on the network for Manual Scan and Scheduled Scans.
  6. EnableBehavior Monitoring (BM). Make sure that the they are running the latest BM patterns:
    • For 64-bit: 1.338.64
    • For 32-bit: 1.338.0
    WFBS 6.0 does not support 64-bit BM. In order to have this feature, upgrade to WFBS 7.0 SP1 or WFBS 8.0.
  7. Set your WFBS to Smart Scan method to acquire the new patterns that can detect new variants of VOBFUS malware.
  8. Read the following KB article: Simple Best Practices to enhance protection against malware threats in Worry-Free Business Security/Services (WFBS/WFBS-SVC)
  9. Optional: For added security, you can use Trend Micro firewall to block WORM_VOBFUS from using Port 8000, 8003, 9004 to communicate with its C&C Server:
    1. Go to Security Settings > Servers/Desktops group > Firewall > Enable Firewall.
    2. Choose Advanced Mode > Enable Intrusion Detection System.
    3. Click Add > Change Action to DENY NETWORK TRAFFIC > type specified ports: “9004,8000,8003” > All IP addresses.
    4. Click Save.
  10. Configure the Manual Scan Exclusions to scan Trend Micro folders. It’s possible that the reason you keep getting reinfected is because the dropper positioned itself on folder WFBS do not scan by default:
    1. Log in on the WFBS console and go to Scans tab > Manual Scan.
    2. Uncheck Do not scan the directories where Trend Micro products are installed.
    3. Click Save and run a manual scan.
    If you have exclusions on the Real-time Scan, make sure that they are not excluded on the Manual Scan and Scheduled scan.

To enable WFBS to quarantine/collect possible virus/malware during a scan:

  1. If you have mapped drives, check if the Write access is needed.  If not, limit the access to Read Only.
  2. Set the Real-time Scan settings to use Custom action and change the Probable Malware action to Quarantine.
  3. On the Manual Scan and Scheduled Scans settings,enable the Scan mapped drives and shared folders on the network.
  4. Change to Custom action from Probable Malware to Quarantine then click Save.
  5. Make sure that all Servers/Clients on the Security Settings tab are updated with the latest pattern file and scan engine. Check the offline computers on the list and make sure to turn them ON before running a manual scan.

In case of a reinfection, use either or both methods below to find the infection source of WORM_VOBFUS:


Via Net Session:

  1. Click on Start > Run. Type in “cmd” and press ENTER.
  2. On the command prompt window, type in “Net Session”.

This displays all the users connected to the infected server. Check the timestamp of the malware file and compare it with the time duration of each user connected to the server.


Via Owner: 

  1. Arrange the files by Type.
  2. View by Details.
  3. Right-click on the current window > Sort by > More > select Owner.

The owner of the files will now be displayed.

To restore hidden folders:

  1. Unhide the folder/s manually via command prompt with admin privileges.
  2. Use this command:

    attrib -h -r -s  [drive:][path][filename] /S /D

    Example:  attrib –h –r –s z:\*.* /S /D

For related information about this malware, refer to the TrendLabs Security Intelligence Blog for WORM_VOBFUS.

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.