goldun-haxspy-haxdoor
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | goldun-haxspy-haxdoor [2013/01/28 04:29] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Goldun/ | ||
+ | |||
+ | |||
+ | ===== General ===== | ||
+ | **Method of propagation: | ||
+ | * This is not a virus and does not contain any method to replicate. However this file may be downloaded by other viruses and/or Trojans to be installed on the user's system. | ||
+ | |||
+ | **Platforms / OS:** | ||
+ | * Windows 95 | ||
+ | * Windows 98 | ||
+ | * Windows 98 SE | ||
+ | * Windows NT | ||
+ | * Windows ME | ||
+ | * Windows 2000 | ||
+ | * Windows XP | ||
+ | * Windows 2003 | ||
+ | |||
+ | **Side effects:** | ||
+ | * Drops malicious files | ||
+ | * Registry modification | ||
+ | * Steals information | ||
+ | |||
+ | ===== Files ===== | ||
+ | File: | ||
+ | Hash: 601b43c39f726d975f035cc98c146f99 | ||
+ | |||
+ | This trojan may have any of the standard icon like Microsoft Word Document or JPEG Image. | ||
+ | |||
+ | The following files are created: | ||
+ | |||
+ | – %SYSDIR%\wndtx1.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. | ||
+ | Hash: bed399d56b82369eb7fb95caad16de04 | ||
+ | Detected as: TR/ | ||
+ | |||
+ | – %SYSDIR%\ipudpb2.sys | ||
+ | Hash: 14ab6317620fb234c436f8114fab7f26 | ||
+ | Detected as: TR/ | ||
+ | |||
+ | ===== Registry | ||
+ | The following registry keys are added: | ||
+ | |||
+ | – [HKLM\SYSTEM\CurrentControlSet\Control] | ||
+ | * " | ||
+ | |||
+ | – [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ | ||
+ | | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | |||
+ | – [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2] | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | |||
+ | – [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Security] | ||
+ | * " | ||
+ | |||
+ | – [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Enum] | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | |||
+ | |||
+ | The following registry key is changed: | ||
+ | |||
+ | – [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager] | ||
+ | Old value: | ||
+ | * " | ||
+ | New value: | ||
+ | * " | ||
+ | |||
+ | ===== Backdoor | ||
+ | **Contact server:** | ||
+ | The following: | ||
+ | * !http:// | ||
+ | |||
+ | As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script. | ||
+ | |||
+ | **Sends information about:** | ||
+ | * Current user | ||
+ | * Collected information described in stealing section | ||
+ | * Information about the Windows operating system | ||
+ | |||
+ | ===== Stealing | ||
+ | It tries to steal the following information: | ||
+ | – Passwords typed into ' | ||
+ | |||
+ | – A logging routine is started after one of the following websites are visited: | ||
+ | * !http:// | ||
+ | * %any HTTPS website that contains a login form% | ||
+ | |||
+ | – It captures: | ||
+ | * Window information | ||
+ | * Browser window | ||
+ | * Login information | ||
+ | |||
+ | ===== Injection | ||
+ | &# | ||
+ | |||
+ | All of the following processes: | ||
+ | * iexplore.exe | ||
+ | * %all processes started after malware is active in memory% | ||
+ | |||
+ | ===== Rootkit Technology | ||
+ | It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user. | ||
+ | |||
+ | Hides the following: | ||
+ | |||
+ | Method used: | ||
+ | * Hidden from Windows API | ||
+ | |||
+ | Hooks the following API functions: | ||
+ | * NtCreateProcess | ||
+ | * NtCreateProcessEx | ||
+ | * ZwCreateProcess | ||
+ | * ZwCreateProcessEx | ||
+ | |||
+ | ===== File details | ||
+ | Runtime packer: | ||
+ | In order to aggravate detection and reduce size of the file it is packed with the following runtime packer: | ||
+ | * FSG | ||
+ | |||
+ | |||
+ | -- Main.FredPettis - 26 Mar 2009 | ||
goldun-haxspy-haxdoor.txt · Last modified: 2013/01/28 04:29 by 127.0.0.1