Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Virus.gobi Analysis Report
Threat Submitted On: 9/19/2008 10:43:06 AM
Threat Analysed On: 9/19/2008 3:43:06 PM
Threat Updated On: 1/28/2011 6:08:16 AM
Type : Virus
Symptoms of gobi
  • Attaches with an existing program and copies itself to other programs upon execution.
  • May pose severe threats to the user-data and the system-performance.
Information
Alias : virus.win32.gobi.a
Md5 Hash : [90043a4ab8bffcd3cde8d6d03b79e3b0]
File Size : [Not Available]

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: iexplore.exe
Path : %programfiles%\common files\microsoft shared\msinfo

Md5Hash :2dd7097ba995d083482956647672fecc ( 320744 bytes)
File: serve.dll
Path : %windir%\system32

Md5Hash :9f9aed0539ad37884c33d75dbe6a5a30 ( 78960 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
0c2453aec3fd791abb98bc6ee0add059 ( 395373 bytes)
0d14b0b8e39efcd2e90c97ab9da24fa5 ( 57458 bytes)
10c71fa87a2ced23fed3c97e03e907a0 ( 172810 bytes)
2dd7097ba995d083482956647672fecc ( 320744 bytes)
90043a4ab8bffcd3cde8d6d03b79e3b0 ( bytes)
a3e342bee19c262f99072d30bdeabbd2 ( 593922 bytes)
c0d3a58fc98c5c3f706dc386d0eb5d9b ( 58137 bytes)
d935de0996596da93f3f47d9522a751b ( 4096 bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : wininit.exe
Path : %windir%\system32

Md5Hash :90043a4ab8bffcd3cde8d6d03b79e3b0 ( 211968 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
microsoft update 32 = "wininit.exe"
|__ Value Added :
microsoft update 32 = "wininit.exe"
Creates the following child process(s) on execution:

%windir%\system32\wininit.exe 1632 %workingdir%\[random name].exe

services.exe

Creates the Following MUTEX(s) on user's System:-
a3c
raspbfile
Copies the Following Files to Given Location :-

Copies :%workingdir%\[random name].exe

To : %windir%\system32\wininit.exe

NOTE:

1. %programfiles% Refers to the program files folder. By default it is 'C:\Program Files'
2. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
3. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.