Virus:W32/Gobi.A
Type:File infector
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:~32.000 Bytes

 General Method of propagation:
   • Infects files


Aliases:
   •  Symantec: W32.Gobi
   •  Mcafee: W32/Gobi.a
   •  Kaspersky: Virus.Win32.Gobi.a
   •  Sophos: W32/Gobi-A
   •  Bitdefender: Win32.Gobi.A

The file works interdependently with these components:
   •  BDS/Small.CQ.1


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Infects files
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control
Can be used by rogue users or malware to lower security settings.

 Files It copies itself to the following location:
   • %SYSDIR%\CKKILU101



The following files are created:

%TEMPDIR%\DABACKDOOR.EXE Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Small.CQ.1

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.


Stealth:
 EPO (Entry Point Obscuring) - The infected file's EP (Entry Point) remains the same. The virus patches the program code to redirect execution to the viral code.


Self Modification:

Polymorphic - The entire virus code changes from one infection to another. The virus contains a polymorphic engine.


Method:

This direct-action infector actively searches for files.


Infection length:

Approximately 32.000 Bytes


The following files are infected:

By file type:
   • *.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCR\exefile\shell\open\command]
   • @="%SYSDIR%\CKKILU101 \"%1\" %*"

Description inserted by Daniel Constantin on Thursday, February 18, 2010
Description updated by Daniel Constantin on Thursday, February 18, 2010

Back . . . .