W32/Goldun

Threat risk

Threat risk medium


Detection files published: March 3, 2005	Description created: 2010-04-16	Description updated: 2010-04-16

Malware type: Trojan	Alias: Trojan-Spy.Win32.Goldun (Kaspersky), Trojan.Spy.Goldun (BitDefender)	Spreading mechanism Webpage

Payload: Steals information

Summary
Spreading description
Sandbox analysis
Removal

Summary

Goldun is a trojan that steals account information and gold from victims who use the Online e-Gold service. Some variants of this trojan have been known to install BHOs (Browser Helper Object) to monitor the victim’s online activities, waiting for URLs pertaining to e-Gold to be entered into the hijacked browser so relevant data can be stolen. In some cases, gold can be transferred automatically to another account.

Spreading description

Some samples download new variants of the trojan from malicious web sites, others drop copies that were appended or otherwise embedded inside the parent executable. Dynamic Link Library (DLL) files for installation as BHOs were also dropped. Rootkit was also involved to hide the malicious files and folder entries.

One of the latest variants of this trojan family used a new method for the trigger. Not a single registry key was changed or created to reference another file or create the typical BHO entry. In fact, this variant didn’t even remain memory resident long after execution. Instead, the variant patched the Internet Explorer executable iexplore.exe. The patch ensured that a previously dropped trojan DLL component would be executed every time the compromised Internet Explorer application was launched.

Sandbox analysis

[ DetectionInfo ]
    * Filename: C:\Documents and Settings\norman\Desktop\malware.exe.
    * Sandbox name: W32/Horst.gen31.dropper.
    * Signature name: NOT_SCANNED.
    * Compressed: YES.
    * TLS hooks: NO.
    * Executable type: Application.
    * Executable file structure: OK.
    * Filetype: PE_I386.

[ General information ]
    * File might be compressed.
    * Decompressing Unk3!FSG?.
    * Accesses executable file from resource section.
    * Drops files in %WINSYS% folder.
    * Creating several executable files on hard-drive.
    * File length:        25377 bytes.
    * MD5 hash: e24b4a52b7df30eff2e9c256ff138148.
    * Packer detection: FSG v2.0.

[ Changes to filesystem ]
    * Creates file C:\WINDOWS\TEMP\xcqwdhe.exe.
    * Creates file C:\WINDOWS\SYSTEM32\msgalo.dll.
    * Creates file C:\WINDOWS\TEMP\sdfw.bat.
    * Deletes file "C:\WINDOWS\TEMP\xcqwdhe.exe".
    * Deletes file "C:\WINDOWS\TEMP\sdfw.bat".

[ Changes to registry ]
    * Creates key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}".
    *Creates key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}\InprocServer32".
    * Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}\InprocServer32".
    * Sets value "default"="C:\WINDOWS\SYSTEM32\msgalo.dll" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}\InprocServer32".
    * Sets value "p"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}".
    * Sets value "n"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}".
    * Sets value "s"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}".
    * Sets value "f"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}".
    * Sets value "t"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}".
    * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56262124-6251-5625-3072-548536364311}".
[ Process/window information ]
    * Creates a dialogbox with caption "".
    * Buttons found in dialogbox: id1[4,131]"Install" id2[205,131]"Close" .
    * Creates process "xcqwdhe.exe".
    * Pressing button with id 1 "Install".
    * Attemps to open C:\WINDOWS\TEMP\sdfw.bat NULL.
    * Creates process "CMD.EXE"".

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\msgalo.dll (9728 bytes) : W32/Horst.gen31.

Removal

Norman’s antivirus products are in general able to remove all malicious software that is detected.
Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below if your Norman antivirus is unable to clean the infection.

http://www.norman.com/support/support_tools/58732/en

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage	Title	Comment
	Stopping network share infectors
	Cleaning of back-up folders on Windows Me and XP

Print page