Aliases: W32/Gobi.b, PE_SALITY.AZ, Trojan-Dropper.Win32.Microjoin, W32/[email protected], Win32/Kashu.C
Variants: Virus.Win32.Gobi.a, Win32.Gobi.a, W32/Gobi, PE_GOBI.A, W32/Gobi.29033

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Europe, North America
Removal: Hard
Platform: W32
Discovered: 10 Mar 2004
Damage: Low

Characteristics: Consistent with the functionality of most viruses, this malware targets Portable Executable files of the Microsoft Windows Operating System platform. It also compromises the integrity of other executable files associated with programs installed in the infected computer system. The W32.Gobi is designed with built-in defense mechanisms that are intended to complicate its detection and removal from the host machine. It is also capable of compromising system security by opening an unsecured backdoor.

More details about W32.Gobi

The complexity associated with the W32.Gobi is based primarily on its ability to change or modify its virus signature at every instance of infection. This capability is commonly referred to as polymorphic effect which is meant to thwart attempts of removing it from the machine. This threat is designed with an entry point obscuring feature which allows it to overwrite the initial instruction sets for the executable file it intends to corrupt. The author of the W32.Gobi made use of anti-debugging techniques possibly to protect the source codes of the malware. The backdoor functionality allows its author to hijack the resources of the infected computer system without the user's knowledge. The W32.Gobi normally makes use of the TCP port 666 to implement its backdoor feature.

An inherent danger that is associated with the backdoor functionality of the W32.Gobi is that it can be used by other malicious authors to further compromise the already infected computer system. Normally the presence of the backdoor remains undetected until a thorough scan of the machine is done using a protection software with an updated antivirus engine and database. The W32.Gobi hooks Application Programming Interfaces in order to control certain functionalities in the host computer system. The executable for its backdoor component is normally stored in a temporary folder of the hard drive.