How it was found

Walling Data provides U.S. based phone and remote support for all of its customers. One of our clients, a preparatory school in the president’s home state of Illinois contacted us for support regarding an apparent virus outbreak across their network. During a remote control support session, one of our support staff noted that on infected systems a picture of the president’s head would appear in the lower right portion of the screen as a semi-transparent, always on top window. Because of this, it was immediately dubbed the Obama Worm.

What it does

• When the threat is executed, it acts much in the same way as the Conficker worm with regards to exploiting the auto-run feature to infect removable USB drives and the local drive of the system. It has also been reported that computers on an active directory domain can be infected over the network, but we have not been able to verify this yet and can safely say that in peer based networks the threat does not seem to infect mapped shares or communicate with the network in any manner.
• This threat does not appear to “phone home” or attempt internet communication
• It modifies the registry to start executable, batch, visual basic, and screensaver files using a copy of the threat on root of the C: drive. The only issue with this, is that after the system is rebooted twice, the threat effectively disables execution of any programs on the system - visual C++ runtime dll errors when executables are launched.
• It modifies the registry to re-hide or keep hidden files hidden
• It copies itself to the root of the drive and several folder locations and adds startup entries
• Once it’s started, it essentially re-installs itself over and over again every few seconds
• On Mondays only, it will display a medium size semi-transparent image of the president in the lower right corner of the screen that stays on top of all other applications
• See a complete list of file and registry changes from Obama Worm here.
  
  

• The threat appears to have been created with off the shelf game development software
• As of writing, the threat is properly detected with 4 out of 39 engines according to VirusTotal.com
  http://www.virustotal.com/analisis/ff37266dd9c4a7cea5690b4725b5e07f
  

Click Below to See The Obama Worm in Action

Signs of Infection

• Each monday, all day long you see this semi-transparent image, on top of all windows, in the lower right corner of your screen
  
• You receive Visual C++ Runtime Errors when you attempt to run any programs. The text of the error will indicate that the application has requested the Runtime to terminate it in an usual way
• Your computer looks similar to this upon startup