BAT_OBQHOST.A

October 09, 2012
 Modified by: Erika Bianca Mendoza
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan opens an instance of the browser to access a certain website.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

  TECHNICAL DETAILS

File Size:

69,632 bytes

File Type:

BAT

Memory Resident:

No

Initial Samples Received Date:

10 Oct 2011

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Download Routine

This Trojan connects to the following malicious URLs:

  • http://www.{BLOCKED}ebattante.org/media/com_fabrik/images/ total_visitas.php

HOSTS File Modification

This Trojan adds the following strings to the Windows HOSTS file:

  • 209.59.212.251 www4.itau.com.br
  • 209.59.212.251 itau.com.br
  • 209.59.212.251 www.itau.com.br
  • 209.59.212.251 www.bancoitau.com.br
  • 209.59.212.251 bancoitau.com.br
  • 209.59.212.251 www.itaupersonnalite.com.br
  • 209.59.212.251 itaupersonnalite.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 bradesco.com.br
  • 209.59.212.251 www.bradesco.com.br
  • 209.59.212.251 www4.bradesco.com.br
  • 209.59.212.251 www.prime.com.br
  • 209.59.212.251 prime.com.br
  • 209.59.212.251 www.bradescoprime.com.br
  • 209.59.212.251 bradescoprime.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 bb.com.br
  • 209.59.212.251 www.bb.com.br
  • 209.59.212.251 www.bancodobrasil.com.br
  • 209.59.212.251 bancodobrasil.com.br
  • 127.0.0.1 localhost
  • 127.0.0.1 localhost
  • 209.59.212.251 www.tam.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 www.multiplusfidelidade.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 www.sicredi.com.br
  • 127.0.0.1 localhost
  • 209.59.212.251 sicredi.com.br
  • 209.59.212.251 www.serasa.com.br
  • 209.59.212.251 serasa.com.br
  • 127.0.0.1 localhost
  • 127.0.0.1 localhost
  • 209.59.212.251 www.santander.com.br
  • 209.59.212.251 www4.santander.com.br
  • 209.59.212.251 santander.com.br
  • 209.59.212.251 www.santandernet.com.br
  • 209.59.212.251 santandernet.com.br
  • 209.59.212.251 www.banespa.com.br
  • 127.0.0.1 localhost
  • 127.0.0.1 localhost
  • 209.59.212.251 www.santanderempresarial.com.br
  • 209.59.212.251 santanderempresarial.com.br
  • 127.0.0.1 localhost
  • $ $ $$$$$ $$$$$ $$ $$ $ $
  • $ $ $ $ $ $$ $$ $ $
  • $$$$$ $$$$$ $$$$$ $$$ $$$$$
  • $ $ $ $ $ $$ $$ $ $
  • $ $ $ $ $$$$$ $$ $$ $ $

NOTES:

It opens an instance of the browser to access the following website:

  • www.youtube.com