no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+====== Goldun/Haxspy ======
+===== General =====
+**Method of propagation:**
+  * This is not a virus and does not contain any method to replicate. However this file may be downloaded by other viruses and/or Trojans to be installed on the user's system.
+**Platforms / OS:**
+  * Windows 95
+  * Windows 98
+  * Windows 98 SE
+  * Windows NT
+  * Windows ME
+  * Windows 2000
+  * Windows XP
+  * Windows 2003
+**Side effects:**
+  * Drops malicious files
+  * Registry modification
+  * Steals information
+===== Files  =====
+File:   Install.exe
+Hash: 601b43c39f726d975f035cc98c146f99
+This trojan may have any of the standard icon like Microsoft Word Document or JPEG Image.
+The following files are created:
+&#8211; %SYSDIR%\wndtx1.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too.
+Hash: bed399d56b82369eb7fb95caad16de04
+Detected as: TR/Dldr.Bolol.A.4, PWS-Goldun (Password Stealer trojan)
+&#8211; %SYSDIR%\ipudpb2.sys
+Hash: 14ab6317620fb234c436f8114fab7f26
+Detected as: TR/Spy.Haxspy.AE, BackDoor-BAC.sys (Remote Access trojan)
+===== Registry  =====
+The following registry keys are added:
+&#8211; [HKLM\SYSTEM\CurrentControlSet\Control]
+  * "isfr2"''"[%random character string%[%current username% ]"
+&#8211; [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
+   wndtx1]
+  * "DllName"''wndtx1.dll
+  * "Startup"''"wndtx1"
+  * "Impersonate"''dword:00000001
+  * "Asynchronous"''dword:00000001
+  * "MaxWait"''dword:00000001
+&#8211; [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2]
+  * "Type"''dword:00000001
+  * "Start"''dword:00000001
+  * "ErrorControl"''dword:00000000
+  * "ImagePath"''\??\%SYSDIR%\IPUDPB2.SYS
+  * "DisplayName"''"IP2 UDPB2"
+&#8211; [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Security]
+  * "Security"''%hex values%
+&#8211; [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Enum]
+  * "0"''"Root\\LEGACY_IPUDPB2\\0000"
+  * "Count"''dword:00000001
+  * "NextInstance"''dword:00000001
+The following registry key is changed:
+&#8211; [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager]
+   Old value:
+  * "PendingFileRenameOperations"''%hex values%
+   New value:
+  * "PendingFileRenameOperations"''%hex values%
+===== Backdoor  =====
+**Contact server:**
+The following:
+  * !http://www.salidol.biz/********************
+As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.
+**Sends information about:**
+  * Current user
+  * Collected information described in stealing section
+  * Information about the Windows operating system
+===== Stealing  =====
+It tries to steal the following information:
+&#8211; Passwords typed into 'password input fields'
+&#8211; A logging routine is started after one of the following websites are visited:
+  * !http://www.e-gold.com
+  * %any HTTPS website that contains a login form%
+&#8211; It captures:
+  * Window information
+  * Browser window
+  * Login information
+===== Injection  =====
+&#8211;  It injects the following file into a process: %SYSDIR%\wndtx1.dll
+    All of the following processes:
+  * iexplore.exe
+  * %all processes started after malware is active in memory%
+===== Rootkit Technology  =====
+It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.
+Hides the following:
+Method used:
+  * Hidden from Windows API
+Hooks the following API functions:
+  * NtCreateProcess
+  * NtCreateProcessEx
+  * ZwCreateProcess
+  * ZwCreateProcessEx
+===== File details  =====
+Runtime packer:
+In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
+  * FSG
+-- Main.FredPettis - 26 Mar 2009