Home / malware Downloader.Obator
First posted on 25 April 2015.
Source: SymantecAliases :
There are no other names known for Downloader.Obator.
Explanation :
When the Trojan is executed, it sets its current working directory to the following folder: %ProgramFiles%\Oracle\Updater
Next, the Trojan creates a mutex with the name "[COMPUTER NAME]". If a mutex with the same name already exists on the computer, then the Trojan ends its operations.
If Internet Explorer is launched, then the Trojan sets a cookie with the following contents: "disclaimer_accepted = true; expires = Sat, 01-Jan-2020 00:00:00 G"
The Trojan then connects to the following remote location: [https://]t2upiokua37wq2cx.tor2web.org
The Trojan may then download Infostealer.Obator to the compromised computer.Last update 25 April 2015
