Worm

Worm:Win32/Vobfus.EL removal

Malware Removal

The Worm:Win32/Vobfus.EL is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Worm:Win32/Vobfus.EL virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Attempts to connect to a dead IP:Port (1 unique times)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • Drops a binary and executes it
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Behavioural detection: Injection (inter-process)
  • Installs itself for autorun at Windows startup
  • Attempts to disable Windows Auto Updates
  • Attempts to modify Explorer settings to prevent hidden files from being displayed

How to determine Worm:Win32/Vobfus.EL?


File Info:

name: FA77C6F287E1D22925CE.mlw
path: /opt/CAPEv2/storage/binaries/9bed067ee8d79c3a7f0d830e990b00e8fa3f09a543518440ea6cd2e7fa595b0f
crc32: 7FDF1EE2
md5: fa77c6f287e1d22925ce32df06ab0b89
sha1: 5d5e68b6a7982a8b3516919a1ab625a220eefad0
sha256: 9bed067ee8d79c3a7f0d830e990b00e8fa3f09a543518440ea6cd2e7fa595b0f
sha512: a2f5aab6d0e5036a7b57df2920471db283535b2aef9dfedf36a6bdb1a3adb18564b5db22ec5da9545a5f9f36407411f751b27c366a150ff00c1aa9da0254f495
ssdeep: 1536:vsZDFF7RsurWaYkiQixA+alh98t8aF9USvXjyEwo7JaS1:EZDFFlLrWejH8tq8vwQL
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T16AC30C577B02400DE744397413EEC2D227A5F8495E1B298BBBA4B1B4DCEAE150E34BDB
sha3_384: 8ae1302294faa2f22523e6ea371a603393ebcb596e37bd24a4468c7bc580b8d6d9e7df9e79b81952b7ff1422577ec3d4
ep_bytes: 68a0124000e8f0ffffff000000000000
timestamp: 1997-12-25 17:48:15

Version Info:

0: [No Data]

Worm:Win32/Vobfus.EL also known as:

BkavW32.AIDetect.malware1
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Variant.Barys.799
FireEyeGeneric.mg.fa77c6f287e1d229
CAT-QuickHealTrojan.Beebone.D
McAfeeW32/Autorun.worm.aaeh
CylanceUnsafe
VIPREGen:Variant.Barys.799
Sangfor[MICROSOFT VISUAL BASIC 5.0]
K7AntiVirusEmailWorm ( 003c363a1 )
K7GWEmailWorm ( 003c363a1 )
Cybereasonmalicious.287e1d
BaiduWin32.Worm.Autorun.v
VirITTrojan.Win32.Zyx.JT
CyrenW32/Vobfus.AO.gen!Eldorado
SymantecW32.Changeup
tehtrisGeneric.Malware
ESET-NOD32Win32/Pronny.JS
APEXMalicious
ClamAVWin.Trojan.Changeup-6169544-0
KasperskyTrojan.Win32.Vobfus.hy
BitDefenderGen:Variant.Barys.799
NANO-AntivirusTrojan.Win32.VB.rilqz
SUPERAntiSpywareTrojan.Agent/Gen-Vban
AvastWin32:GenMalicious-FAD [Trj]
TencentWorm.Win32.Vobfus.j
Ad-AwareGen:Variant.Barys.799
TACHYONTrojan/W32.Vobfus.126976
EmsisoftGen:Variant.Barys.799 (B)
ComodoWorm.Win32.VB.AUA@4o7zkg
DrWebTrojan.Siggen4.7246
TrendMicroWORM_VOBFUS.SM41
McAfee-GW-EditionBehavesLike.Win32.PWSZbot.cm
Trapminemalicious.high.ml.score
SophosML/PE-A + W32/SillyFDC-HV
IkarusTrojan.Patched
GDataGen:Variant.Barys.799
AviraTR/Barys.629.jh.1
Antiy-AVLTrojan/Generic.ASBOL.5
ArcabitTrojan.Barys.799
ViRobotTrojan.Win32.A.VB.126976.W
ZoneAlarmTrojan.Win32.Vobfus.hy
MicrosoftWorm:Win32/Vobfus.EL
CynetMalicious (score: 100)
AhnLab-V3Downloader/Win32.Genome.C99330
VBA32SScope.Malware-Cryptor.VBCR.1641
ALYacGen:Variant.Barys.799
MAXmalware (ai score=86)
MalwarebytesGeneric.Trojan.Malicious.DDS
TrendMicro-HouseCallWORM_VOBFUS.SM41
RisingWorm.VobfusEx!1.99E1 (CLASSIC)
YandexTrojan.GenAsa!UUTN+wjiOFM
SentinelOneStatic AI – Malicious PE
MaxSecureWorm.Vobfus.hy
FortinetW32/VBObfus.AU!tr
BitDefenderThetaGen:NN.ZevbaF.34582.huW@aeCEFvii
AVGWin32:GenMalicious-FAD [Trj]
PandaW32/Vobfus.GEW.worm
CrowdStrikewin/malicious_confidence_100% (D)

How to remove Worm:Win32/Vobfus.EL?

Worm:Win32/Vobfus.EL removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment