|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Trojan-Spy:W32/Goldun.RR
|
[Summary]
| [Additional Details]
|
| Name : | Trojan-Spy:W32/Goldun.RR |
| Detection Names : |
Trojan-Spy:W32/Goldun.RR
Trojan-Spy.Win32.Goldun.axt
|
| Aliases : |
Trojan:Win32/Agent.PX (Microsoft)
TROJ_MEREDROP.GJ (Trend Micro)
Trojan.Goldun (Symantec)
|
| Type: | Trojan-Spy |
| Category: | Malware |
| Platform: | W32 |
|
| Radar |
 |
|
|
|
Summary
|
| A type of trojan that includes a variety of spy programs and keyloggers. |
|
|
|
Additional Details
|
Goldun.RR drops the following files:
- C:\WINDOWS\system32\cabpck.dll
- C:\WINDOWS\system32\krnlcab.sys
The file called cabpck.dll is detected as Trojan-Spy.Win32.Goldun.axn.
The file called krnlcab.sys is detected as Trojan-Spy.Win32.Goldun.axr.
The main file create this process and terminate itself:
- C:\WINDOWS\system32\rundll32.exe cabpck.dll,cabpck
Network Communications
Goldun.RR attempts to connect to:
- social-bos.biz/jerken/data.php?trackid=706[...]
Registry
It creates a launch point using winlogon event:
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck
DllName = cabpck.dll
Startup = cabpck
Impersonate = 00000001
Asynchronous = 00000001
MaxWait = 00000001
a950 = [2E09BF121A42171A6]
Goldun.RR registers itself as a service:
- HKLM\System\CurrentControlSet\Services\krnlcab
Type = 00000001
Start = 00000001
ErrorControl = 00000000
ImagePath = system32\krnlcab.sys
DisplayName = Cabinet Kernel Packer - HKLM\System\CurrentControlSet\Services\krnlcab\Security
Security = \x01\x00\x14\x80\x90\x00\x00\x00\x9C\x00\x00\[...]
Creates this entry so that it will load during safe boot mode:
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\krnlcab.sys
(default) = Driver
Adds its connection to the Windows firewall list so as by-pass it:
- HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
C:\WINDOWS\system32\rundll32.exe =
C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32 |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: October 07, 2008
|
|
|
|
|
