Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

TROJAN.ANTIAV.OBX

 

 

 

Name:

Trojan.AntiAV.obx

Added:

August 9, 2011

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

 

 

Description:

 

Trojan.AntiAV.obx arrives on a system as a file downloaded by an unsuspecting user when visiting malicious Web sites (ie. a fake YouTube site attempts users to play a video prompting the user to install a ‘Flash Player’ )flash-player.exe) that will infect the machine with malware).

When user executed the Flash-Player.exe, it performs the following activities:

After execution, it drops the following files:

%Windir%\update.1\svchost.exe
%Windir%\Temp\3365152.exe
%Windir%\services32.exe
%Windir%\sysdriver32.exe
%Windir%\sysdriver32_.exe

It creates/modifies the following registry entries:

wxpdrv: "%Windir%\update.1\svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

3365152.exe: ""%Windir%\Temp\3365152.exe""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

sysdriver32.exe: ""%Windir%\sysdriver32.exe" rezerv"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

sysdriver32_.exe: ""%Windir%\sysdriver32_.exe" rezerv"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The malware adds itself to the list of applications that are authorized to access the Internet without being stopped by the configured firewall, by making the following registry modification

%Windir%\update.1\svchost.exe:"%Windir%\update.1\svchost.exe:*:Enabled:%Windir%\update.1\svchost.exe"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\

The malware disables the LUA (Least Privileged User Account), also known as the “administrator in Admin Approval Mode” user type, by modifying the following registry entry below. By disabling the LUA, this allows all applications to run by default with all administrative privileges and without the user being prompted for user consent.

EnableLUA: 0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

The malware may attempt to stop the Windows Security Center from monitoring the firewall by making the following registry modification

FirewallOverride: 1
HKLM\SOFTWARE\Microsoft\Security Center


 

 

 

 

 

 

 

 
Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

Malware problems?
We can help.

Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware

Evaluate Thirtyseven4 Antivirus Now

Thirtyseven4 Antivirus | AntiMalware | AntiRootkit | AntiSpyware
Thirtyseven4 - Industry Leading Endpoint Security Solution

“Delight yourself in the Lord and he will give you the desires of your heart.” Psalm 37:4