W32/Obfuscated.XZ Trojan

 Information about the W32/Obfuscated.XZ Trojan:

W32/Obfuscated.XZ is a trojan. The trojan will infect Windows systems.

Upon execution, the trojan drops a copy itself as a backup in Documents and Settings\All Users\Application Data folder and deletes the original file.

It also drops the following files:

twdmheje.exe in the Windows System folder,
ChkStr.dll in the Windows System folder,
def.htm in the Windows\Web folder,
System32vbsys2.dll in the Windows folder,
System32awtoolb.dll in the Windows folder,
System32sysreq.exe in the Windows folder,
System32WINWGPX.EXE in the Windows folder,
System32bdn.com in the Windows folder,
System32mssecu.exe in the Windows folder,
System32winsystem.exe in the Windows folder,
bdn.com in the Windows folder,
mssecu.exe in the Windows folder,
winsystem.exe in the Windows folder,
System32anticipator.dll in the Windows folder,
System32vcatchpi.dll in the Windows folder,
System32akttzn.exe in the Windows folder,
System32newsd32.exe in the Windows folder,
System32emesx.dll in the Windows folder,
System32Rundl1.exe in the Windows folder,
System32thun.dll in the Windows folder,
System32thun32.dll in the Windows folder,
System32msvchost.exe in the Windows folder,
System32regc64.dll in the Windows folder,
System32regm64.dll in the Windows folder,
System32ssvchost.com in the Windows folder,
System32ssvchost.exe in the Windows folder,
System32dpcproxy.exe in the Windows folder,
System32h@tkeysh@@k.dll in the Windows folder,
System32temp#01.exe in the Windows folder,
System32msgp.exe in the Windows folder,
System32mtr2.exe in the Windows folder,
System32netode.exe in the Windows folder,
System32medup012.dll in the Windows folder,
System32medup020.dll in the Windows folder,
System32ssurf022.dll in the Windows folder,
System32msnbho.dll in the Windows folder,
System32bsva-egihsg52.exe in the Windows folder,
System32ps1.exe in the Windows folder,
System32psof1.exe in the Windows folder,
System32psoft1.exe in the Windows folder,
iTunesMusic.exe in the Windows folder,
System32hxiwlgpm.dat in the Windows folder,
System32hxiwlgpm.exe in the Windows folder,
System32taack.dat in the Windows folder,
System32taack.exe in the Windows folder,
System32sncntr.exe in the Windows folder,
System32mwin32.exe in the Windows folder,
a.bat in the Windows folder,
System32VBIEWER.OCX in the Windows folder,
System32hoproxy.dll in the Windows folder,
base64.tmp in the Windows folder,
FVProtect.exe in the Windows folder,
userconfig9x.dll in the Windows folder,
zip1.tmp in the Windows folder,
zip2.tmp in the Windows folder,
zip3.tmp in the Windows folder,
zipped.tmp in the Windows folder,
System32winlogonpc.exe in the Windows folder,
2_mslagent.dll in the WINDOWS\mslagent folder,
mslagent.exe in the WINDOWS\mslagent folder,
uninstall.exe in the WINDOWS\mslagent folder,
Desktopfwebd.exe in the Documents and Settings\%Current User% folder,
DesktopFWebdEditor.exe in the Documents and Settings\%Current User% folder,
DesktopEditorFKWP1.5.exe in the Documents and Settings\%Current User% folder,
DesktopEditorFKWP2.0.exe in the Documents and Settings\%Current User% folder,
Desktopfilemanagerclient.exe in the Documents and Settings\%Current User% folder,
Desktopfkwp1.5.exe in the Documents and Settings\%Current User% folder,
Desktopfkwp2.0.exe in the Documents and Settings\%Current User% folder.

The trojan modifies the registry at the following locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_USERS\(SID)\Software\Microsoft\Windows\CurrentVersion\Run

The trojan disables the Task Manager.

The trojan also tries to download an adware CAnitivirus_Installer.exe from hxxp://antispyware-reviews.biz/?wmid=4663&pwebmid=XQcoP2rR2W.

This trojan first appeared on April 17, 2008.

 Other names of W32/Obfuscated.XZ Trojan:

This trojan is also known as Win32.Trojan.Obfuscated.gx.3, Trojan.Win32.Obfuscated.xz.