TROJ_OBVOD
Obvod (Microsoft), TrojanClicker (Eset)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
OBVOD is a malware family of Trojans known for its pay-per-click scheme. When executed, OBVOD variants connect to certain websites to obtain a list of URLs that it visits for the pay-per-click scheme.
In addition, some variants check data found in the registry entries of specific registry keys. From the gathered data, it identifies all files with extensions such as .EXE and .COM and renames the said files. It also creates copies of itself using the original file and folder names of the renamed files.
TECHNICAL DETAILS
Yes
Pay-per click fraud
Installation
This Trojan drops and executes the following files:
- %Windows%\Tasks\At1.job
- %Windows%\Tasks\At2.job
- %Windows%\Tasks\At3.job
- %Windows%\Tasks\At4.job
- %Windows%\Tasks\At5.job
- %Windows%\Tasks\At6.job
- %Windows%\Tasks\At7.job
- %Windows%\Tasks\At8.job
- %Windows%\Tasks\At9.job
- %Windows%\Tasks\At10.job
- %Windows%\Tasks\At11.job
- %Windows%\Tasks\At12.job
- %Windows%\Tasks\At13.job
- %Windows%\Tasks\At14.job
- %Windows%\Tasks\At15.job
- %Windows%\Tasks\At16.job
- %Windows%\Tasks\At17.job
- %Windows%\Tasks\At18.job
- %Windows%\Tasks\At19.job
- %Windows%\Tasks\At20.job
- %Windows%\Tasks\At21.job
- %Windows%\Tasks\At22.job
- %Windows%\Tasks\At23.job
- %Windows%\Tasks\At24.job
- %Windows%\Tasks\At25.job
- %Windows%\Tasks\At26.job
- %Windows%\Tasks\At27.job
- %Windows%\Tasks\At28.job
- %Windows%\Tasks\At29.job
- %Windows%\Tasks\At30.job
- %Windows%\Tasks\At31.job
- %Windows%\Tasks\At32.job
- %Windows%\Tasks\At33.job
- %Windows%\Tasks\At34.job
- %Windows%\Tasks\At35.job
- %Windows%\Tasks\At36.job
- %Windows%\Tasks\At37.job
- %Windows%\Tasks\At38.job
- %Windows%\Tasks\At39.job
- %Windows%\Tasks\At40.job
- %Windows%\Tasks\At41.job
- %Windows%\Tasks\At42.job
- %Windows%\Tasks\At43.job
- %Windows%\Tasks\At44.job
- %Windows%\Tasks\At45.job
- %Windows%\Tasks\At46.job
- %Windows%\Tasks\At47.job
- %Windows%\Tasks\At48.job
- %All Users Profile%\Application Data\5q2B8R.dat
- %All Users Profile%\Application Data\{random file name}.exe.b
- %All Users Profile%\Application Data\{random file name}.exe_.b
(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %All Users Profile%\Application Data\{random file name}.exe
(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)
Other System Modifications
This Trojan adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
DisableScriptDebuggerIE = "yes"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Error Dlg Displayed On Every Error = "no"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
NoProtectedModeBanner = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\InternetSettings
WarnOnZoneCrossing = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\InternetSettings\
Zones\3
2500 = "3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Direct3d
LA = "400"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "72"
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}3.{BLOCKED}d.in
- {BLOCKED}i.{BLOCKED}d.in
- {BLOCKED}p.{BLOCKED}d.in
- {BLOCKED}d.in