W32/VBNA-X worm spreads quickly through networks and removable media

Filed Under: Botnet, Featured, Malware, SophosLabs, Windows

Malware skull. Image from ShutterstockSophosLabs researchers have noticed a significant increase in the spread of malware we call W32/VBNA-X (among other names).

Several other vendors, including McAfee (W32/Autorun.worm.aaeb) and Symantec (W32.ChangeUp), have been alerting their customers as well. While the basic components of this malware have been around for some time, it has become considerably more aggressive in its latest iteration.


W32/VBNA-X is a worm, but also exhibits characteristics typically found in a Trojan. Its most obvious method of spreading appears to be through the use of autorun.inf files dropped on removable media and writable network shares.

You would hope this technique wouldn't be too effective on today's PCs, though. Microsoft released updates for XP, 2003 and Vista in February 2011 to disable Autorun on all media aside from "shiny discs."

It is still not a bad idea to disable Autorun/Autoplay more completely, which is quite easy to do according to Microsoft's instructions, which include a "FixIt."

Most PCs will ignore autorun.inf files these days, so people must be clicking on the malware itself, but why?

It appears to be a cocktail of clever social engineering, poor default settings and user carelessness.

After creating the autorun.inf file for the unpatched victims, it begins to enumerate all of the file and folder names on writable shares and removable devices.

For example, say your E: drive is a network share with folders named au and r and files named as.txt and Adobe.pdf.

It will set all of these to have the hidden attribute and set a registry key to ensure hidden files are not displayed.

Then it will create copies of itself called Porn.exe, Sexy.exe, Passwords.exe and Secret.exe in addition to creating a copy of itself for each legitimate file and folder present on the volume.

The duplicates of the original folders and files will have their icons set to the standard folder icon in Windows 7.

Screenshot of infected file share


In this screenshot you can see the original folders at the top showing their Windows XP icons and the cloned/Trojaned ones with the Windows 7 icons lower down.

The malware appears to assume that you are not showing extensions, which is the default in all releases of Windows.

Infected file share with extensions and hidden files shownI can easily see how people browsing file shares and USB drives could accidentally click the wrong folder, especially if the real folders are set to hidden.

If we show extensions and view all hidden files we see a very different picture.

In addition to the original files and their impostors there are also files called ..exe and ...exe. The malware is also known to write a zero byte file called x.mpeg, although it did not do so in this test instance.

The malware copies itself to the user's profile using a random file name and adds a registry key to start the malware on boot.

Some variants are known to disable Windows Update to prevent the victim from receiving a patch or updated instructions that may disable it.

W32/VBNA-X is also polymorphic so the SHA1 checksums vary for some of the files:

30582368427f752b7b6da4485db456de915101b2 SHA1 for Porn.exe
7ff75f92c5461cc221cb3ab914592bd2a5db6e15 SHA1 for Sexy.exe
d71a89c085ffbb62f4e222fb2f42d7e2271e4642 SHA1 of all the rest

Registry keys created:

    %UserProfile%\%random% /%randomletter% - For persistence

    NoAutoUpdate = 1 - To disable updates

    ShowSuperHidden = 0 - To ensure hidden items stay hidden

You're infected, now what happens?

These samples follow the standard operating procedure for modern malware. Once loaded W32/VBNA-X contacts a command and control (C&C) server to receive instructions for further payloads to download.

The malware attempts to contact the C&Cs on port 9003 using HTTP, although McAfee has reported seeing samples connecting to port 9004 as well.

Many of the DNS names are hosted in the ddns#.eu domain space, but the entire list is quite extensive. Administrators who wish to monitor for infections may wish to monitor their firewall logs for connections to ports 900[0-9].

Once the C&C server is contacted a command and URL is passed back to the malware instructing it to download a payload named google.exe which is placed in the users profile directory.

The instances we investigated downloaded banking Trojans belonging to the Zeus/Zbot family, but can frequently change based on time of day or geographic location.


Aside from keeping your anti-virus up to date there are several things you can do and can watch for.

  • Ensure Autorun is totally disabled on all Windows operating systems.

  • Make sure your standard Windows images and group policies are configured to show file extensions and hidden files.
  • Restrict write permissions to file shares to allow access only where absolutely necessary
  • Block all outbound connections to unknown ports and services on your gateway and client firewalls.
  • Ensure behavioral detection technologies are enabled in your anti-virus product to detect addition of malware persistence schemes and tampering with updating and anti-virus settings.
Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* W32/VBNA-X: Specific detection for this worm (variants include W32/VBNA-U, W32/VBNA-Z, W32-VBNA-AA and W32/VBNA-AB)
* Mal/SillyFDC-Z Generic worm detections for Autorun.inf files (variants include Mal/Autorun-AX, W32/SillyFDC-IP and W32/AutoInf-DI)
* Troj/Tepfer-E Trojan payloads detected in relation to this malware (variants include Troj/VB-GFM, W32/SillyFDC-IP and Mal/SillyFDC-Z)
* HIPS/RegMod-009 Proactive detection and prevention for registry modifications and persistence

* Customers using Sophos web protection will be prevented from accessing domains known to be involved with this malware

I would like to extend a special thank you to the entire SophosLabs Vancouver team and especially Mike Wood, Peter Szabo and Savio Lau for spending so much extra time to share these details with our readers.

Malware skull image from Shutterstock.

, , , , ,

You might like

4 Responses to W32/VBNA-X worm spreads quickly through networks and removable media

  1. Carol · 1002 days ago

    you guys do such a great job!!-Thanks!!

  2. Alex W · 1002 days ago

    I don't get it, where is the "network" spreading vector of it? Writing to a mapped network drive is hardly it. Does it actually scan for writeable shares on the network or not? p.s. Having problems posting comments because of Ghostery.

  3. Marc · 1001 days ago

    Some detailed info on how to perform some of the tasks in 'Advice' would be very useful for those who aren't computer savvy enough yet.

  4. Brad Schoolmeyer · 1001 days ago

    It creates exe's with the same name as the folders and files in the root of the shared directory. It then hides the true files. When clients try to open up their folder, it replicates this action on their computer and on all of their mapped drives and external drives. Its not very destructive but very hard to stop because end users just keep clicking and reinfecting themselves. A royal pain for large networks. We disabled autorun in Group Policy, searched for all EXE files in shared folders and deleted the trash ones (the ones that replicate the hiding and renaming of files), and most importantly let end users know not to click on anything until we saw their computer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.