Two malicious software programs that help each other stay on computers are proving difficult to remove.
The programs work together by alternately downloading slighter
different variations of the other in an attempt to evade antivirus
Hyun Choi of Microsoft’s Malware Protection Center, on Sunday.
One of the malware programs, called Vobfus, was detected in September
2009. It is known as a downloader, or a program that downloads other
pieces of code.
Once Vobfus infects a computer, it downloads from a remote
command-and-control server a program called Beebone, which is another
kind of downloader that installs other malicious programs on a computer.
The two work together, downloading variants of the other that are not
immediately detected by antivirus products, Choi wrote.
“This cyclical relationship between Beebone and Vobfus downloading
each other is the reason why Vobfus may seem so resilient to antivirus
products,” Choi wrote. Updated antivirus products may detect one variant
present on the system; however, newer downloaded variants may not be
Other malware programs have been known to update themselves once a
computer is infected. But if the malware is detected and removed, the
targeted computer would have to be infected again by an attacker. The
approach of Vobfus and Beebone makes it more likely the computer will
Vobfus is also a worm that copies itself to removable drives. It uses
the autorun function that, if enabled on a computer, causes Vobfus to
automatically run and infect Windows computers.
“In the wild, we have observed that Vobfus maintains a very successful removable-drive infection rate,” Choi wrote.