Troj/Obfus-I

Category: Viruses and Spyware Protection available since:05 Apr 2013 15:56:52 (GMT)
Type: Trojan Last Updated:05 Apr 2013 15:56:52 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/Obfus-I include:

Example 1

File Information

Size
309K
SHA-1
009a9ccbbd9d4119252bbe23d5fd3baf555be47c
MD5
75defed71347a3191ac52fc9ccf85768
CRC-32
fa86c2ca
File type
Windows executable
First seen
2012-07-21

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\2.tmp
Dropped Files
  • C:\WINDOWS\AppPatch\pfeiic.exe
    Size
    309K
    SHA-1
    be893dc82d9574bf09371172613ec16ac3a46afc
    MD5
    fa840a9104a2958561896456007c18a4
    CRC-32
    dd5c7c68
    File type
    Windows executable
    First seen
    2013-04-05
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG
    Trace Level
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    601f769f
    @□□□□□ □□□□□□□□□□□□□□0□□□P□□□□p=□□□□`□□PK□0□□□□□p□□`C□□□□0□□□□□`y□□□□p□□□_□□7□p□□0m□0=□p7□0□□0}□□V□□K□□□□□□□□□□`f□□□□□□□□k□p□□0□□0'□□□□□C□□□□□□□□□□□□□p□□□e□□□□□□□p□□□□□`Y□p□□□w□□□□□□□□w□□□□0□□□C□□3□□^□0□□□□□□Q□□k□□#□0□□□□□□□□□□□s□□□□□□□□□□□□□□□□0□□0□□p□□`□□□□□P#□`a□0a□□□□0□□0□□`V□0>□□g□□□□p□□□□□□□□□□□□7□`y□□)□□□□0s□0□□P□□Pv□pW□`e□□□□□□□p{□□□□□□□0□□0□□0□□□N□□□□□□□□;□0□□□□□p□□□#□□1□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    run
    C:\WINDOWS\apppatch\pfeiic.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    userinit
    C:\WINDOWS\apppatch\pfeiic.exe
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    run
    C:\WINDOWS\apppatch\pfeiic.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\apppatch\pfeiic.exe,
DNS Requests
  • cicaratupig.eu
  • cihunemyror.eu
  • ciliqikytec.eu
  • cinepycusaw.eu
  • ciqydofudyx.eu
  • digivehusyd.eu
  • dikoniwudim.eu
  • dimutobihom.eu
  • divywysigud.eu
  • dixemazufel.eu
  • fobonobaxog.eu
  • fodakyhijyv.eu
  • fogeliwokih.eu
  • fokyxazolar.eu
  • foxivusozuc.eu
  • gadufiwabim.eu
  • gahihezenal.eu
  • galokusemus.eu
  • gatedyhavyd.eu
  • jefapexytar.eu
  • jejedudupuc.eu
  • jepororyrih.eu
  • jewuqyjywyv.eu
  • kefuwidijyp.eu
  • kemocujufys.eu
  • kepymexihak.eu
  • keraborigin.eu
  • lymylorozig.eu
  • lyruxyxaxaw.eu
  • lysovidacyx.eu
  • lyvejujolec.eu
  • magofetequb.eu
  • makagucyraj.eu
  • marytymenok.eu
  • masisokemep.eu
  • nofyjikoxex.eu
  • nojuletacuf.eu
  • nopegymozow.eu
  • nozoxucavaq.eu
  • pumadypyruv.eu
  • puregivytoh.eu
  • puvopalywet.eu
  • puzutuqeqij.eu
  • qederepuduf.eu
  • qegytuvufoq.eu
  • qeqinuqypoq.eu
  • qetoqolusex.eu
  • rydinivoloh.eu
  • rynazuqihoj.eu
  • ryqecolijet.eu
  • rytuvepokuv.eu
  • tucyguqaciq.eu
  • tunujolavez.eu
  • tupazivenom.eu
  • tuwikypabud.eu
  • vocumucokaj.eu
  • vofozymufok.eu
  • vojacikigep.eu
  • volebatijub.eu
  • voniqofolyt.eu
  • www.bing.com
  • xubifaremin.eu
  • xuqohyxeqak.eu
  • xutekidywyp.eu
  • xuxusujenes.eu

Example 2

File Information

Size
309K
SHA-1
09e13f2d6f0499c9946fca3bc6e8e7d6e85874b0
MD5
7113de11a0c0b06f9eb714c374288f8c
CRC-32
ea4c2e99
File type
Windows executable
First seen
2012-07-22

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\2.tmp
Dropped Files
  • C:\WINDOWS\AppPatch\fljtyc.exe
    Size
    309K
    SHA-1
    a97351d656b709c7207e8727cfdb1ecec03f328e
    MD5
    59116192c7a7106cb48c4460d4547dad
    CRC-32
    faced2fa
    File type
    Windows executable
    First seen
    2013-04-05
Registry Keys Created
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    run
    C:\WINDOWS\apppatch\fljtyc.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    601f769f
    @□□□□□ □□□□□□□□□□□□□□0□□□P□□□□□7□□□□`□□PK□0□□□□□p□□`C□□□□0□□□□□`y□□□□p□□□_□□7□p□□0m□0=□p7□0□□0}□□V□□K□□□□□□□□□□`f□□□□□□□□k□p□□0□□0'□□□□□C□□□□□□□□□□□□□p□□□e□□□□□□□p□□□□□`Y□p□□□w□□□□□□□□w□□□□0□□□C□□3□□^□0□□□□□□Q□□k□□#□0□□□□□□□□□□□s□□□□□□□□□□□□□□□□0□□0□□p□□`□□□□□P#□`a□0a□□□□0□□0□□`V□0>□□g□□□□p□□□□□□□□□□□□7□`y□□)□□□□0s□0□□P□□Pv□pW□`e□□□□□□□p{□□□□□□□0□□0□□0□□□N□□□□□□□□;□0□□□□□p□□□#□□1□□□□□□□
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    userinit
    C:\WINDOWS\apppatch\fljtyc.exe
  • HKLM\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG
    Trace Level
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    run
    C:\WINDOWS\apppatch\fljtyc.exe
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\apppatch\fljtyc.exe,
DNS Requests
  • cicaratupig.eu
  • cihunemyror.eu
  • ciliqikytec.eu
  • cinepycusaw.eu
  • ciqydofudyx.eu
  • digivehusyd.eu
  • dikoniwudim.eu
  • dimutobihom.eu
  • divywysigud.eu
  • dixemazufel.eu
  • fobonobaxog.eu
  • fodakyhijyv.eu
  • fogeliwokih.eu
  • fokyxazolar.eu
  • foxivusozuc.eu
  • gadufiwabim.eu
  • gahihezenal.eu
  • galokusemus.eu
  • gatedyhavyd.eu
  • jefapexytar.eu
  • jejedudupuc.eu
  • jepororyrih.eu
  • jewuqyjywyv.eu
  • kefuwidijyp.eu
  • kemocujufys.eu
  • kepymexihak.eu
  • keraborigin.eu
  • lymylorozig.eu
  • lyruxyxaxaw.eu
  • lysovidacyx.eu
  • lyvejujolec.eu
  • magofetequb.eu
  • makagucyraj.eu
  • marytymenok.eu
  • masisokemep.eu
  • nofyjikoxex.eu
  • nojuletacuf.eu
  • nopegymozow.eu
  • nozoxucavaq.eu
  • pumadypyruv.eu
  • puregivytoh.eu
  • puvopalywet.eu
  • puzutuqeqij.eu
  • qederepuduf.eu
  • qegytuvufoq.eu
  • qeqinuqypoq.eu
  • qetoqolusex.eu
  • rydinivoloh.eu
  • rynazuqihoj.eu
  • ryqecolijet.eu
  • rytuvepokuv.eu
  • tucyguqaciq.eu
  • tunujolavez.eu
  • tupazivenom.eu
  • tuwikypabud.eu
  • vocumucokaj.eu
  • vofozymufok.eu
  • vojacikigep.eu
  • volebatijub.eu
  • voniqofolyt.eu
  • www.bing.com
  • xubifaremin.eu
  • xuqohyxeqak.eu
  • xutekidywyp.eu
  • xuxusujenes.eu

Example 3

File Information

Size
309K
SHA-1
164cb19adab31f18d0c186d1702c03698dd23c31
MD5
2da5247016360d613254dbeb13d6cf0e
CRC-32
50dc6cbc
File type
Windows executable
First seen
2012-07-15

Runtime Analysis

Copies Itself To
  • c:\Documents and Settings\test user\Local Settings\Temp\2.tmp
Dropped Files
  • C:\WINDOWS\AppPatch\cejmou.exe
    Size
    309K
    SHA-1
    e0abd0ab4614b049815c485c45cd83a59bf7257f
    MD5
    3752e4976a8f68e3d2024010199e4d82
    CRC-32
    f330c1de
    File type
    application/x-ms-dos-executable
    First seen
    2013-04-05
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    userinit
    C:\WINDOWS\apppatch\cejmou.exe
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    run
    C:\WINDOWS\apppatch\cejmou.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    run
    C:\WINDOWS\apppatch\cejmou.exe
  • HKLM\SOFTWARE\Microsoft\ESENT\Process\sample\DEBUG
    Trace Level
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    601f769f
    @□□□□□ □□□□□□□□□□□□□□0□□□P□□□□@>□□□□□□□PK□0□□□□□p□□`C□□□□0□□□□□`y□□□□p□□□_□□7□p□□0m□0=□p7□0□□0}□□V□□K□□□□□□□□□□`f□□□□□□□□k□p□□0□□0'□□□□□C□□□□□□□□□□□□□p□□□e□□□□□□□p□□□□□`Y□p□□□w□□□□□□□□w□□□□0□□□C□□3□□^□0□□□□□□Q□□k□□#□0□□□□□□□□□□□s□□□□□□□□□□□□□□□□0□□0□□p□□`□□□□□P#□`a□0a□□□□0□□0□□`V□0>□□g□□□□p□□□□□□□□□□□□7□`y□□)□□□□0s□0□□P□□Pv□pW□`e□□□□□□□p{□□□□□□□0□□0□□0□□□N□□□□□□□□;□0□□□□□p□□□#□□1□□□□□□□
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\apppatch\cejmou.exe,
DNS Requests
  • cicaratupig.eu
  • cihunemyror.eu
  • ciliqikytec.eu
  • cinepycusaw.eu
  • ciqydofudyx.eu
  • digivehusyd.eu
  • dikoniwudim.eu
  • dimutobihom.eu
  • divywysigud.eu
  • dixemazufel.eu
  • fobonobaxog.eu
  • fodakyhijyv.eu
  • fogeliwokih.eu
  • fokyxazolar.eu
  • foxivusozuc.eu
  • gadufiwabim.eu
  • gahihezenal.eu
  • galokusemus.eu
  • gatedyhavyd.eu
  • jefapexytar.eu
  • jejedudupuc.eu
  • jepororyrih.eu
  • jewuqyjywyv.eu
  • kefuwidijyp.eu
  • kemocujufys.eu
  • kepymexihak.eu
  • keraborigin.eu
  • lymylorozig.eu
  • lyruxyxaxaw.eu
  • lysovidacyx.eu
  • lyvejujolec.eu
  • magofetequb.eu
  • makagucyraj.eu
  • marytymenok.eu
  • masisokemep.eu
  • nofyjikoxex.eu
  • nojuletacuf.eu
  • nopegymozow.eu
  • nozoxucavaq.eu
  • pumadypyruv.eu
  • puregivytoh.eu
  • puvopalywet.eu
  • puzutuqeqij.eu
  • qederepuduf.eu
  • qegytuvufoq.eu
  • qeqinuqypoq.eu
  • qetoqolusex.eu
  • rydinivoloh.eu
  • rynazuqihoj.eu
  • ryqecolijet.eu
  • rytuvepokuv.eu
  • tucyguqaciq.eu
  • tunujolavez.eu
  • tupazivenom.eu
  • tuwikypabud.eu
  • vocumucokaj.eu
  • vofozymufok.eu
  • vojacikigep.eu
  • volebatijub.eu
  • voniqofolyt.eu
  • www.bing.com
  • xubifaremin.eu
  • xuqohyxeqak.eu
  • xutekidywyp.eu
  • xuxusujenes.eu

download Try Sophos products for free
Download now