Win32/Galaxy [Threat Name] go to Threat

Win32/Galaxy.A [Threat Variant Name]

Category trojan
Size 39936 B
Detection created Mar 20, 2002
Detection database version 233
Aliases Backdoor.Win32.Galaxy (Kaspersky)
  Backdoor:Win32/Galaxy (Microsoft)
  Backdoor.GRM (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­grm.exe

The trojan registers itself as a system service using the following name:

  • GRM

This way the trojan ensures that the file is executed on every system start.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "GRM" = "%system%\­grm.exe"
Information stealing

The trojan collects the following information:

  • computer name
  • hardware information
  • information about the operating system and system settings
  • volume serial number
  • list of files/folders on a specific drive
  • list of running processes
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open ports
  • upload files to a remote computer
  • execute shell commands
  • send gathered information
  • terminate running processes
  • various file system operations
  • open the CD/DVD drive
  • display a dialog window
  • shut down/restart the computer
  • uninstall itself

The malware configuration is passed as command line parameters when the malware executable is launched.

Please enable Javascript to ensure correct displaying of this content and refresh this page.