Win32/Glupteba [Threat Name] go to Threat

Win32/Glupteba.G [Threat Variant Name]

Category trojan
Size 46613 B
Detection created Apr 28, 2011
Detection database version 6079
Aliases Trojan-Downloader.NSIS.Agent.jP (Kaspersky)
  TrojanDownloader:Win32/Carberp.K (Microsoft)
  Trojan.ADH (Symantec)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan drops in folder %localappdata%\Google\Update\ the following file:

  • GoogleUpdateBeta.exe (17408 B)

The trojan registers itself as a system service using the following name:

  • GoogleUpdateBeta

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­GoogleUpdateBeta]
    • "Type" = 16
    • "Start" = 2
    • "ImagePath" = "%localappdata%\­Google\­Update\­GoogleUpdateBeta.exe /svc"
    • "DisplayName" = "Google Update Service"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it!"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "GoogleUpdateBeta" = "%localappdata%\­Google\­Update\­GoogleUpdateBeta.exe"

This causes the trojan to be executed on every system start.


After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Google\­Google Updater]
    • "GUID" = %data%
    • "svalue" = %data%
    • "value" = %data%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­Session Manager]
    • "PendingFileRenameOperations" = "%malwarefilepath%.exe"

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (40) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries

The trojan may create the following files:

  • %temp%\­goog%variable%.tmp
  • %windir%\­wininit.ini

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.