Goldun/Haxspy
- General
- Files
- Registry
- Backdoor
- Stealing
- Injection
- Rootkit Technology
- File details

Goldun/Haxspy

General

Method of propagation:

This is not a virus and does not contain any method to replicate. However this file may be downloaded by other viruses and/or Trojans to be installed on the user's system.

Platforms / OS:

Windows 95
Windows 98
Windows 98 SE
Windows NT
Windows ME
Windows 2000
Windows XP
Windows 2003

Side effects:

Drops malicious files
Registry modification
Steals information

Files

File: Install.exe Hash: 601b43c39f726d975f035cc98c146f99

This trojan may have any of the standard icon like Microsoft Word Document or JPEG Image.

The following files are created:

– %SYSDIR%\wndtx1.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Hash: bed399d56b82369eb7fb95caad16de04 Detected as: TR/Dldr.Bolol.A.4, PWS-Goldun (Password Stealer trojan)

– %SYSDIR%\ipudpb2.sys Hash: 14ab6317620fb234c436f8114fab7f26 Detected as: TR/Spy.Haxspy.AE, BackDoor-BAC.sys (Remote Access trojan)

Registry

The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Control]

“isfr2”“[%random character string%[%current username% ]” – [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ wndtx1] * “DllName”wndtx1.dll
“Startup”“wndtx1” * “Impersonate”dword:00000001
“Asynchronous”dword:00000001 * “MaxWait”dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2]

“Type”dword:00000001 * “Start”dword:00000001
“ErrorControl”dword:00000000 * “ImagePath”\??\%SYSDIR%\IPUDPB2.SYS
“DisplayName”“IP2 UDPB2” – [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Security] * “Security”%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Enum]

“0”“Root\\LEGACY_IPUDPB2\\0000” * “Count”dword:00000001
“NextInstance”dword:00000001 The following registry key is changed: – [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager] Old value: * “PendingFileRenameOperations”%hex values%

New value:

“PendingFileRenameOperations”''%hex values%

Backdoor

Contact server: The following:

!http://www.salidol.biz/

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.

Sends information about:

Current user
Collected information described in stealing section
Information about the Windows operating system

Stealing

It tries to steal the following information: – Passwords typed into 'password input fields'

– A logging routine is started after one of the following websites are visited:

!http://www.e-gold.com
%any HTTPS website that contains a login form%

– It captures:

Window information
Browser window
Login information

Injection

– It injects the following file into a process: %SYSDIR%\wndtx1.dll

  All of the following processes:
* iexplore.exe
* %all processes started after malware is active in memory%

Rootkit Technology

It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:

Method used:

Hidden from Windows API

Hooks the following API functions:

NtCreateProcess
NtCreateProcessEx
ZwCreateProcess
ZwCreateProcessEx

File details

Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:

– Main.FredPettis - 26 Mar 2009

Table of Contents