Jump to content


Photo

Danger of autorun


  • Please log in to reply
1 reply to this topic

#1 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 30 November 2012 - 12:12 PM

W32/VBNA-X worm spreads quickly through networks and removable media
I found this article very interesting - particularly the screenshots. Easy reading.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 November 2012 - 01:07 PM

-aka- Vobfus ...

- https://threatpost.c...g-infect-113012
Nov 30, 2012 - "... WORM_VOBFUS (or W32/VBNA-X, as Sophos calls it)..."

- http://blog.dynamoo....s-to-block.html
29 Nov 2012 - "These domains and sites appear to be connected to the Vobfus worm, hosted on 222.186.36.108 (Chinanet Jiangsu Province Network). There seems to be quite a bit of this -worm- about..." (More detail at the dynamoo URL above.)

What’s the Fuss with WORM_VOBFUS?
- http://blog.trendmic...th-worm_vobfus/
Nov 29, 2012 - "... some variants even spreading through Facebook. WORM_VOBFUS takes advantage of Windows Autorun ..."

- https://isc.sans.edu...l?storyid=14584
Last Updated: 2012-11-28
___

- http://h-online.com/-1760548
30 Nov 2012 - "... Anti-virus experts at McAfee have discovered* a Windows pest that spreads via the autorun feature of the operating system – notwithstanding the fact that this vector hasn't existed for machines maintained through Windows Update for nearly two years..."

Remediation measures - Stinger and Signed ExtraDAT for W32/Autorun.worm.aaea to aaem
* https://kc.mcafee.co...tent&id=KB76807
Corporate KnowledgeBase ID: KB76807
Last Modified: December 07, 2012
___

- http://blog.trendmic...he-picture-yet/
Dec 17, 2012 - "... new variants are surfacing, including one that connects to a new site and uses the names of Google and MSN to label its dropped files. We recently reported on the wave of WORM_VOBFUS variants that emerged in the wild last November. We have been monitoring the said threat and found out that its latest variant (detected as WORM_VOBFUS.SMIS) accesses a new URL (http ://{random number}.noip .at:443/{random string}) to drop a downloader file that leads to ZBOT and CINJECT malware. When executed, WORM_VOBFUS.SMIS drops any of these files (porn.exe, secret.exe, and sexy.exe), which in turn downloads the file msn.com (detected as WORM_VOBFUS.SMIT). Note that the filenames of the dropped files use enticing keywords or names of popular sites like Google and MSN to trick users that these files are harmless.
WORM_VOBFUS.SMIT is capable of downloading any of the following files, which leads to ZBOT and CINJECT malware:
1pom.exe
2pom.exe
3pom.exe
4pom.exe
5pom.exe
In other instances, these downloaded files drop a copy of WORM_VOBFUS resulting to another infection..."

:grrr: Posted Image

Edited by AplusWebMaster, 18 December 2012 - 06:51 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button