Home / malwarePDF  

TrojanDownloader:Win32/Obvod.K


First posted on 19 April 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Win32/Obvod.K is also known as Trojan-Clicker.Win32.Cycler.alkj (Kaspersky), Trojan.CryptRedol.Gen.3 (BitDefender).

Explanation :

TrojanDownloader:Win32/Obvod.K is a trojan that communicates with a remote server to receive data that instructs it to visit other websites. The trojan may also launch a web browser and display out-of-context advertisements on an affected computer.


Top

TrojanDownloader:Win32/Obvod.K is a trojan that communicates with a remote server to receive data that instructs it to visit other websites. The trojan may also launch a web browser and display out-of-context advertisements on an affected computer.



Installation

When run, TrojanDownloader:Win32/Obvod.K drops a copy of itself as the following:

%ALLUSERSPROFILE%\Application Data\<eight random characters>.exe

For example, "C:\Documents and Settings\All Users\Application Data\ilu5my34.exe", "C:\Documents and Settings\All Users\Application Data\rdn7o5qq.exe", or and "C:\Documents and Settings\All Users\Application Data\vo0qrbyn.exe".

It creates 24 job files, one for each hour of the day, to execute the trojan once an hour. The job files are enumerated and stored as the following:

  • %windir%\tasks\at1.job
  • %windir%\tasks\at2.job, and so on, until
  • %windir%\tasks\at24.job


Payload

Modifies Internet security settings

The trojan makes the following registry modifications in order to disable script debugging for Internet Explorer:

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main
Sets value: "DisableScriptDebuggerIE"
With data: "yes"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "2500"
With data: "3"

Communicates with a remote server

TrojanDownloader:Win32/Obvod.K connects to a certain remote server to receive encrypted data that is saved in the temporary files folder as a randomly named file with .DAT file extension. The encrypted data contains a list of websites to visit or a list of files to download. In the wild, the remote servers include the following:

  • 109.230.217.44
  • 188.190.98.22
  • 92.241.163.23
  • cc.hfuidhfd.jp
  • pfif4.hfuidhfd.jp


Displays advertisements

This malware opens Internet Explorer and injects several IFrame tags into the current session, resulting in several Internet Explorer sessions opening to websites that contain advertisements.



Analysis by Hyun Choi

Last update 19 April 2012

 

TOP

Malware :

Family: