Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Best practices in preventing Worm_VOBFUS infection using OfficeScan (OSCE)

    • Updated:
    • 24 Nov 2016
    • Product/Version:
    • OfficeScan 10.6
    • OfficeScan 11.0
    • OfficeScan 11.0
    • Platform:
    • Windows 2003 Enterprise
    • Windows 2003 Enterprise 64-bit
    • Windows 2003 Standard
    • Windows 2003 Standard 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Standard
    • Windows 2012 Enterprise
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Home
    • Windows XP Professional
    • Windows XP Professional 64-bit

This article contains recommended practices in preventing WORM_VOBFUS infection or reinfection using OSCE. This worm is also known as:

  • Trj/CI.A
  • Variant.Symmi.6831
  • W32.Changeup
  • W32/Autorun.worm.aaeh
  • W32/VBNA-X
  • Win32/VBObfus.GH
  • Win32/Vobfus.MD
  • Worm.Win32.VBNA.b

The VOBFUS family of worms is known for their download and propagation routines, which allowed them to gain prominence, as can be seen in the family’s increasing number of variants over time. These worms are known for taking advantage of the Windows OSs’ AutoRun feature in order to spread via removable drives. These are also known for exploiting the .LNK vulnerability. Like other prominent malware families (e.g., ZBOT), these worms have polymorphic capabilities that enable them to add garbage code at every iteration and to modify the code in order generate new variants.

WORM_VOBFUS variants may be dropped or downloaded by other malware onto users’ systems or may be unknowingly downloaded by the users themselves when visiting malicious sites. These may also arrive via removable drives.

The VOBFUS Malware, drops copies of itself in removable drives using the file names of the user’s folders and files with the following extensions:

  • .avi
  • .bmp
  • .doc
  • .gif
  • .jpe
  • .jpg
  • .mp3
  • .mp4
  • .mpg
  • .pdf
  • .png
  • .tif
  • .txt
  • .wav
  • .wma
  • .wmv
  • .xls

Also, it hides those original files and folders. Thus, the users may think that what they are clicking are normal files or folders. It also drops an autorun.inf to automatically execute the file when the drive is accessed. Another way of determining if a drive is infected is the presence of the following files:

  • {drive letter}:\Passwords.exe
  • {drive letter}:\Porn.exe
  • {drive letter}:\Secret.exe
  • {drive letter}:\Sexy.exe

This worm connects to a remote site where it downloads and executes other malware. Once the file is downloaded it is saved under %User Profile%. However, some sites where this malware connects to are already inaccessible.

These WORM_VOBFUS variants were also observed to connect to a command-and-control (C&C) server, possibly to communicate with a remote malicious user.

The following methods are necessary:

  • Upgrade to the latest version of OfficeScan
  • Aggressive pattern file updates
  • Blocking of malicious web sites
  • Scanning of network drives
  • Ensuring that file storages have the necessary antivirus protection
  • Disabling Windows AutoRun feature. Refer to the following Microsoft article: How to disable the Autorun functionality in Windows.
  • Patching for Windows vulnerabilities, like the Microsoft LNK Vulnerability

The following features in the latest version of OfficeScan would be turn-key in making sure that you detect and mitigate WORM_VOBFUS:

  • SmartScan has larger coverage and is updated very frequently. Newer samples of WORM_VOBUFUS are processed and pushed to cloud updates very fast.
  • Enable Web Reputation Services (WRS) and make sure you implement this for your INTERNAL network. This would block infection vectors, as well as communication vectors.
  • Enable Behavior Monitoring as it proactively detects threats through behavior analysis.
  • Enable SmartFeedback. The Trend Micro Smart Protection Network provides a feedback mechanism to minimize the effort of threats harvesting, analysis and resolving. It not only helps increase the detection rate but also provides a quick real-world scenario. It also benefits customers to help ensure they get the latest protection in the shortest possible time.
  • Scan Network Drives for Real-time Scan and Manual Scan. This would enabled OSCE to block files deposited in shares in real-time and can be manually scanned if need be.
Scan Network Drive may cause performance issues in large networks. These settings may be aggressive, but it makes sure that the files/folders are scanned on access.

For more information, read OfficeScan’s best practice guide on Best Practices in configuring OfficeScan for malware protection.

  • Apply the following Outbreak Prevention Policy to protect mapped drives / shares.
  • For mapped drives that have WRITE access, enable “Deny Write Access…”, set it to 72 hours. Click on “Deny Write Access…”
  • Under Files to Protect, add the following files:
    • porn.exe
    • sexy.exe
    • secret.exe
    • autorun.inf
    • passwords.exe
    • ..exe
    • ...exe
If the shared drive does not have WRITE access, then there is no need to apply OPP as the mapped drive cannot be written on anyway.
  • Install the OSCE Toolbox under Plug-In Manager to make deployment of ATTK Malware to gather samples. This is very efficient to gather malware dropped in %USERPROFILE%. Make sure to acquire the Reference ID under the Feedback Tab. Download the Log Files under the Logs tab.
  • It would also be very efficient to gather the files that have been dropped in the common/mapped drive.

Q: I have detection, and it’s coming up in my OSCE. I’m getting flooded with Virus Alerts. What should I do?

A: Assess if you are still infected - Do file names porn.exe, sexy.exe, secret.exe, passwords.exe exist in your common mapped drive? Do you have {random}.exe in your %USERPFOFILE%? Are your folders in the mapped drive hidden?

If you answer YES to any of those statements, then you are probably still in infected. Please see #3.

If you have answered NO, or are not sure, just make sure that you have implemented the necessary OfficeScan configuration changes and applied the necessary Microsoft patches. Monitor the situation just in case the situation changes. Be mindful for re-occurring infections.

Q: I checked my detections and there are no new detections over time. However, my folders in the mapped drives are still hidden!

A: A Windows Administrator can unhide the files/folders in the hidden drive. The following command can be invoked against the drive:

attrib -h -r -s [drive:][path][filename] /S /D

For example:
attrib –h –r –s z:\*.* /S /D

Q: I’ve been submitting samples over and over again. I’m still infected. Help!

A: In this case, we need to do the following:

  • Make sure that your OfficeScan is configured correctly, including SmartFeedback.
  • Make sure features/processes of OfficeScan are up and running:
    • OfficeScan NT RealTime Scan (ntrtscan.exe)
    • Web Reputation Service (tmproxy.exe)
    • Behavior Monitoring (tmbmsrv.exe)
    • OfficeScan NT Listenr (tmlisten.exe)
  • Make sure OfficeScan server and client has the same up-to-date.
Make sure all machines have OfficeScan client installed.
  • Apply the necessary Microsoft patches.
  • Enable Outbreak Prevention Policy.
  • Use the OSCE Toolbox to gather samples. This is very efficient to gather malware dropped in %USERPROFILE%. Make sure to acquire the Reference ID under the Feedback Tab.Download the Log Files under the Logs tab.
  • Use WireShark to find the infection source.
  • Install WireShark on the server containing the shared drives.
  • Delete all the malware .exe on the shared drives.
  • Click Capture > Choose the NIC Card > Start.
  • Wait for the malware to reinfect the shared drives then stop the capture.
  • On the Filter bar, input this command:

    smb.file contains "exe"

    This should display all the .exe sent in the packet and the originating IP address.

    For additional information, refer to the following topic: TrendLabs Security Intelligence Blog for WORM_VOBFUS.

Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.