Home / malware TrojanDownloader:Win32/Obvod.K
First posted on 19 April 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Obvod.K is also known as Trojan-Clicker.Win32.Cycler.alkj (Kaspersky), Trojan.CryptRedol.Gen.3 (BitDefender).
Explanation :
TrojanDownloader:Win32/Obvod.K is a trojan that communicates with a remote server to receive data that instructs it to visit other websites. The trojan may also launch a web browser and display out-of-context advertisements on an affected computer.
Top
TrojanDownloader:Win32/Obvod.K is a trojan that communicates with a remote server to receive data that instructs it to visit other websites. The trojan may also launch a web browser and display out-of-context advertisements on an affected computer.
Installation
When run, TrojanDownloader:Win32/Obvod.K drops a copy of itself as the following:
%ALLUSERSPROFILE%\Application Data\<eight random characters>.exe
For example, "C:\Documents and Settings\All Users\Application Data\ilu5my34.exe", "C:\Documents and Settings\All Users\Application Data\rdn7o5qq.exe", or and "C:\Documents and Settings\All Users\Application Data\vo0qrbyn.exe".
It creates 24 job files, one for each hour of the day, to execute the trojan once an hour. The job files are enumerated and stored as the following:
- %windir%\tasks\at1.job
- %windir%\tasks\at2.job, and so on, until
- %windir%\tasks\at24.job
Payload
Modifies Internet security settings
The trojan makes the following registry modifications in order to disable script debugging for Internet Explorer:
In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: "DisableScriptDebuggerIE"
With data: "yes"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "3"
Communicates with a remote server
TrojanDownloader:Win32/Obvod.K connects to a certain remote server to receive encrypted data that is saved in the temporary files folder as a randomly named file with .DAT file extension. The encrypted data contains a list of websites to visit or a list of files to download. In the wild, the remote servers include the following:
- 109.230.217.44
- 188.190.98.22
- 92.241.163.23
- cc.hfuidhfd.jp
- pfif4.hfuidhfd.jp
Displays advertisements
This malware opens Internet Explorer and injects several IFrame tags into the current session, resulting in several Internet Explorer sessions opening to websites that contain advertisements.
Analysis by Hyun Choi
Last update 19 April 2012