Vobfus

Category: worm · Aliases: win32.vobfus, vobfus.a, vobfus.b, worm.vobfus, bfus · Sample count (EMBER 2018): 1,484 · Enrichment: curated_sourced · Updated: 2026-06-10

Overview

Vobfus (also known as Beebone) is a Windows worm. As documented by Malpedia (Fraunhofer FKIE), it searches for computers on a network and creates copies of itself in folders with open access; for the malware to activate, a user must first run it on the computer. Vobfus is written in the Visual Basic programming language and uses code obfuscation, which is a distinguishing feature of the family. This obfuscation complicates attempts by anti-virus software to analyze the malware. The Beebone botnet associated with Vobfus was the subject of a coordinated takedown.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1091 T1036.005 T1105 T1547.001 T1083

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_VOBFUS {
    meta:
        description = "Detects Vobfus (worm)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "vobfus" ascii wide nocase
        $s2 = "win32.vobfus" ascii wide nocase
        $s3 = "vobfus.a" ascii wide nocase
        $s4 = "vobfus.b" ascii wide nocase
        $s5 = "worm.vobfus" ascii wide nocase
        $s6 = "bfus" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Vobfus Activity
id: 513e5152eff74b716e9bc33f02963458
status: experimental
description: Detects generic indicators of the vobfus malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*vobfus*"
            - "*win32.vobfus*"
            - "*vobfus.a*"
            - "*vobfus.b*"
            - "*worm.vobfus*"
            - "*bfus*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is Vobfus?

Vobfus, also known as Beebone, is a Windows worm. According to Malpedia, it spreads by searching for computers on a network and copying itself into folders with open access, allowing it to propagate to other machines and drives.

How does Vobfus spread?

Per Malpedia, Vobfus searches for computers on a network and creates copies of itself in folders with open access. For the malware to be activated, a user must first run the copied file on the computer, so it relies on a user executing the dropped copy.

What makes Vobfus hard to detect?

Malpedia notes that Vobfus is written in Visual Basic and uses code obfuscation, which is a distinguishing feature of the family. This obfuscation is designed to complicate attempts by anti-virus software to analyze the malware.

What is the connection between Vobfus and Beebone?

Beebone is another name for the Vobfus family. The Beebone botnet built on this malware was the subject of a coordinated takedown effort, as referenced in the Malpedia entry's cited reporting.

Related Families (Category: worm)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/vobfus.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.