Need to fix your PC?
Hire an Expert
Virus:TR/Obisty.A
Date discovered:19/12/2012
Type:Trojan
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:148.992 Bytes
MD5 checksum:89FA070B12AEE94C97F15AFBC8404E00
VDF version:7.11.54.86 - Wednesday, December 19, 2012
IVDF version:7.11.54.86 - Wednesday, December 19, 2012

 General Method of propagation:
   • By visiting infected websites

Similar detection:
   •  JS/Redirector.SB
   •  EXP/Pidief.zar


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Third party control
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %APPDATA%\KB%eight-digit random character string%.exe



The following file is created:

%TEMPDIR%\exp3.tmp.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

 Registry The following registry key is added in order to run the process after reboot:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • %APPDATA%\KB%eight-digit random character string% .exe

 Backdoor Contact server:
One of the following:
   • http://84.22.100.108:8080/%random character string%/%random character string%/%random character string%
   • http://182.237.17.180:8080/%random character string%/%random character string%/%random character string%
   • http://123.49.61.59:8080/%random character string%/%random character string%/%random character string%
   • http://204.15.30.202:8080/%random character string%/%random character string%/%random character string%
   • http://64.76.19.236:8080/%random character string%/%random character string%/%random character string%
   • http://59.90.221.6:8080/%random character string%/%random character string%/%random character string%
   • http://210.56.23.100:8080/%random character string%/%random character string%/%random character string%
   • http://94.73.129.120:8080/%random character string%/%random character string%/%random character string%
   • http://174.143.174.136:8080/%random character string%/%random character string%/%random character string%
   • http://203.217.147.52:8080/%random character string%/%random character string%/%random character string%
   • http://74.207.237.170:8080/%random character string%/%random character string%/%random character string%
   • http://23.29.73.220:8080/%random character string%/%random character string%/%random character string%
   • http://69.64.89.82:8080/%random character string%/%random character string%/%random character string%
   • http://74.63.229.10:8080/%random character string%/%random character string%/%random character string%
   • http://74.86.113.66:8080/%random character string%/%random character string%/%random character string%
   • http://174.121.188.156:8080/%random character string%/%random character string%/%random character string%
   • http://50.22.94.96:8080/%random character string%/%random character string%/%random character string%
   • http://173.203.102.204:8080/%random character string%/%random character string%/%random character string%
   • http://74.117.107.25:8080/%random character string%/%random character string%/%random character string%
   • http://174.142.68.239:8080/%random character string%/%random character string%/%random character string%
   • http://188.212.156.170:8080/%random character string%/%random character string%/%random character string%
   • http://188.120.226.30:8080/%random character string%/%random character string%/%random character string%
   • http://78.28.120.32:8080/%random character string%/%random character string%/%random character string%
   • http://217.65.100.41:8080/%random character string%/%random character string%/%random character string%
   • http://81.93.250.157:8080/%random character string%/%random character string%/%random character string%
   • http://188.40.109.204:8080/%random character string%/%random character string%/%random character string%

As a result it may send information and remote control could be provided. This is done via the HTTP POST method using a PHP script.

 Injection – It injects itself as a thread into processes.

It is injected into all processes.


 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Liviu Serban on Wednesday, December 19, 2012
Description updated by Andrei Gherman on Wednesday, December 19, 2012

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.