User Tools

Goldun/Haxspy

General

Method of propagation:

  • This is not a virus and does not contain any method to replicate. However this file may be downloaded by other viruses and/or Trojans to be installed on the user's system.

Platforms / OS:

  • Windows 95
  • Windows 98
  • Windows 98 SE
  • Windows NT
  • Windows ME
  • Windows 2000
  • Windows XP
  • Windows 2003

Side effects:

  • Drops malicious files
  • Registry modification
  • Steals information

Files

File: Install.exe Hash: 601b43c39f726d975f035cc98c146f99

This trojan may have any of the standard icon like Microsoft Word Document or JPEG Image.

The following files are created:

– %SYSDIR%\wndtx1.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Hash: bed399d56b82369eb7fb95caad16de04 Detected as: TR/Dldr.Bolol.A.4, PWS-Goldun (Password Stealer trojan)

– %SYSDIR%\ipudpb2.sys Hash: 14ab6317620fb234c436f8114fab7f26 Detected as: TR/Spy.Haxspy.AE, BackDoor-BAC.sys (Remote Access trojan)

Registry

The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Control]

  • “isfr2”“[%random character string%[%current username% ]” – [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ wndtx1] * “DllName”wndtx1.dll
  • “Startup”“wndtx1” * “Impersonate”dword:00000001
  • “Asynchronous”dword:00000001 * “MaxWait”dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2]

  • “Type”dword:00000001 * “Start”dword:00000001
  • “ErrorControl”dword:00000000 * “ImagePath”\??\%SYSDIR%\IPUDPB2.SYS
  • “DisplayName”“IP2 UDPB2” – [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Security] * “Security”%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Enum]

  • “0”“Root\\LEGACY_IPUDPB2\\0000” * “Count”dword:00000001
  • “NextInstance”dword:00000001 The following registry key is changed: – [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager] Old value: * “PendingFileRenameOperations”%hex values%

New value:

  • “PendingFileRenameOperations”''%hex values%

Backdoor

Contact server: The following:

As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script.

Sends information about:

  • Current user
  • Collected information described in stealing section
  • Information about the Windows operating system

Stealing

It tries to steal the following information: – Passwords typed into 'password input fields'

– A logging routine is started after one of the following websites are visited:

– It captures:

  • Window information
  • Browser window
  • Login information

Injection

– It injects the following file into a process: %SYSDIR%\wndtx1.dll 

  All of the following processes:
* iexplore.exe
* %all processes started after malware is active in memory%

Rootkit Technology

It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:

Method used:

  • Hidden from Windows API

Hooks the following API functions:

  • NtCreateProcess
  • NtCreateProcessEx
  • ZwCreateProcess
  • ZwCreateProcessEx

File details

Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:

  • FSG

– Main.FredPettis - 26 Mar 2009

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

More information