A forum for reverse engineering, OS internals and malware analysis 

TrojanDownloader:Win32/Obvod.K

Forum for analysis and discussion about malware.

TrojanDownloader:Win32/Obvod.K

 #15211  by Aleksandra
 Wed Aug 15, 2012 5:46 pm
This downloader has been very popular.

MD5: e3427514883ec5e62036a794827776c4
SHA1: 494d19825f43d182893da9259e772a9c7a22dc06
https://www.virustotal.com/file/fbd4c08 ... /analysis/

http://camas.comodo.com/cgi-bin/submit? ... 4794389ffe

http://www.microsoft.com/security/porta ... 32/OBVOD.K
Attachments
pass: virus
(68.96 KiB) Downloaded 60 times

Re: TrojanDownloader:Win32/Obvod.K

 #16665  by rinn
 Sat Nov 17, 2012 3:39 pm
Aleksandra wrote:_http://tested.toufann.ch/188.exe

MD5: ea69921571e07baf69adda088b943556
SHA1: 521bccef588d9782a80d6be15009a880332071e5
https://www.virustotal.com/file/d497575 ... /analysis/
Hi.

If you are interested in the decrypted sample of this trojan then see attachment, password "infected" without quotes. It's possible another evolution of Zonebac backdoor or fork, not 100% sure of course. Let's say Win32/Zonebac ---> Win32/Unruy --->Win32/Obvod. Must be you already noticed list of AV processes inside. Same was used in different malware starting from Zonebac (initially checks for processes containing the following substrings, and quits if found) and Unruy (checks if any active process names match any of the names in the following list; this information may be sent to a remote host for collection by an attacker) to killAV (list for termination) plugin of Dorkbot/NgrBot.

Image

Best Regards,
-rin
Attachments
(57.81 KiB) Downloaded 51 times

Re: TrojanDownloader:Win32/Obvod.K

 #16681  by Xylitol
 Sun Nov 18, 2012 11:41 am
A bit of research on the server:
Code: Select all
hxxp://188.190.98.22:80/ca.php
hxxp://188.190.98.22:80/ref.php
hxxp://188.190.98.22:80/a.php
hxxp://188.190.98.22:80/check.php
hxxp://188.190.98.22:80/file.php
hxxp://188.190.98.22:80/auth.php
hxxp://188.190.98.22:80/0xabad1dea.php
hxxp://188.190.98.22:80/count.php
hxxp://188.190.98.22:80/research/hmm.php
hxxp://188.190.98.22:80/mgr/
Found also a 16kb hello world
Code: Select all
hxxp://188.190.98.22:80/msg.exe
Image
and this one who seem malicious
Code: Select all
hxxp://188.190.98.22:80/aoa.exe
https://www.virustotal.com/file/2d9ae26 ... 353238078/
http://www.threatexpert.com/report.aspx ... d87fa17f6b
 Return to “Malware”