Win32/Spy.Gauss [Threat Name] go to Threat

Win32/Spy.Gauss.A [Threat Variant Name]

Category trojan
Size 236544 B
Detection created Aug 09, 2012
Detection database version 7371
Aliases Trojan-Spy.Win32.Gauss.wmi (Kaspersky)
  PWS-Gauss.a.trojan (McAfee)
  TrojanSpy:Win32/Gauss.A (Microsoft)
  W32.Gauss (Symantec)
Short description

Win32/Spy.Gauss.A is a trojan that steals passwords and other sensitive information. The trojan can download and execute a file from the Internet. The trojan is usually a part of other malware.

Installation

When executed the trojan copies itself in the following locations:

  • %systemroot%\­System32\­wbem\­wmiqry32.dll
  • %systemroot%\­System32\­wbem\­wmihlp32.dll

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CLASSES_ROOT\­CLSID\­{7C857801-7381-11CF-884D-00AA004B2E24}\­InProcServer32]
    • "(Default)" = "%systemroot%\­System32\­wbem\­wmihlp32.dll"

The trojan can create and run a new thread with its own program code within the following processes:

  • svchost.exe
  • explorer.exe

By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • abcd.exe
  • acs.exe
  • adoronsfirewall.exe
  • alertwall.exe
  • ALMon.exe
  • ALsvc.exe
  • alupdate.exe
  • AntiHook.exe
  • app_firewall.exe
  • apvxdwin.exe
  • armorwall.exe
  • as3pf.exe
  • asr.exe
  • aupdrun.exe
  • authfw.exe
  • avas.exe
  • avcom.exe
  • avkproxy.exe
  • avkservice.exe
  • avktray.exe
  • avkwctl.exe
  • avkwctrl.exe
  • avmgma.exe
  • avp.exe
  • avtask.exe
  • aws.exe
  • backgroundscanclient.exe
  • bgctl.exe
  • bgnt.exe
  • blackd.exe
  • blackice.exe
  • blinksvc.exe
  • bootsafe.exe
  • bullguard.exe
  • CavApp.exe
  • cavasm.exe
  • CavAUD.exe
  • CavCons.exe
  • CavEmSrv.exe
  • Cavmr.exe
  • CavMud.exe
  • Cavoar.exe
  • CavQ.exe
  • CavSn.exe
  • CavSub.exe
  • CavUMAS.exe
  • CavUserUpd.exe
  • Cavvl.exe
  • cdas17.exe
  • cdas2.exe
  • cdinstx.exe
  • CEmRep.exe
  • clamd.exe
  • CMain.exe
  • cmdagent.exe
  • cmgrdian.exe
  • configmgr.exe
  • configuresav.exe
  • cpd.exe
  • csi-eui.exe
  • CV.exe
  • DCSUserProt.exe
  • dfw.exe
  • dlservice.exe
  • dltray.exe
  • dvpapi.exe
  • emlproui.exe
  • emlproxy.exe
  • endtaskpro.exe
  • espwatch.exe
  • Ethereal.exe
  • fameh32.exe
  • fch32.exe
  • fgui.exe
  • filedeleter.exe
  • filemon.exe
  • firewall.exe
  • firewall2004.exe
  • firewallgui.exe
  • fsar32.exe
  • fsav32.exe
  • fsdfwd.exe
  • fsgk32.exe
  • fsgk32st.exe
  • fsguidll.exe
  • fshdll32.exe
  • fsm32.exe
  • fsma32.exe
  • fsmb32.exe
  • fsorsp.exe
  • fspc.exe
  • fsqh.exe
  • fsrt.exe
  • fssm32.exe
  • fsus.exe
  • fwsrv.exe
  • gateway.exe
  • GDFirewallTray.exe
  • GDFwSvc.exe
  • GDScan.exe
  • gsava.exe
  • gssm32.exe
  • hpf_.exe
  • iface.exe
  • InstLsp.exe
  • invent.exe
  • ipatrol.exe
  • ipcserver.exe
  • ipctray.exe
  • kpf4gui.exe
  • kpf4ss.exe
  • licwiz.exe
  • livehelp.exe
  • lookout.exe
  • lpfw.exe
  • mpf.exe
  • mpfcm.exe
  • Netcap.exe
  • Netguard Lite.exe
  • netguardlite.exe
  • Netmon.exe
  • nstzerospywarelite.exe
  • oasclnt.exe
  • omnitray.exe
  • OnAccessInstaller.exe
  • onlinent.exe
  • opf.exe
  • opfsvc.exe
  • op_mon.exe
  • outpost.exe
  • Packetizer.exe
  • Packetyzer.exe
  • pcipprev.exe
  • pctav.exe
  • pctavsvc.exe
  • pcviper.exe
  • persfw.exe
  • pfft.exe
  • pgaccount.exe
  • prevxcsi.exe
  • prifw.exe
  • privatefirewall 3.exe
  • privatefirewall3.exe
  • procguard.exe
  • procmon.exe
  • protect.exe
  • pxagent.exe
  • rawshark.exe
  • RDTask.exe
  • rtt_crc_service.exe
  • sab_wab.exe
  • sagui.exe
  • SAVAdminService.exe
  • savcleanup.exe
  • savcli.exe
  • savmain.exe
  • savprogress.exe
  • SavService.exe
  • scfmanager.exe
  • scfservice.exe
  • schedulerdaemon.exe
  • sdcdevcon.exe
  • sdcdevconIA.exe
  • sdcdevconx.exe
  • sdcservice.exe
  • sdtrayapp.exe
  • siteadv.exe
  • sndsrvc.exe
  • Sniffer.exe
  • snsmcon.exe
  • snsupd.exe
  • SoftAct.exe
  • spfirewallsvc.exe
  • sppfw.exe
  • spybotsd.exe
  • SpyHunter3.exe
  • spywareterminatorshield.exe
  • spywat~1.exe
  • sp_rsser.exe
  • ssupdate.exe
  • SUPERAntiSpyware.exe
  • Tcpdump.exe
  • terminet.exe
  • Tethereal.exe
  • THGuard.exe
  • tppfdmn.exe
  • tscutynt.exe
  • tshark.exe
  • tzpfw.exe
  • umxagent.exe
  • umxtray.exe
  • updclient.exe
  • UUpd.exe
  • uwcdsvr.exe
  • VCATCH.exe
  • vdtask.exe
  • VSDesktop.exe
  • vsmon.exe
  • webwall.exe
  • Windump.exe
  • winroute.exe
  • Wireshark.exe
  • wwasher.exe
  • xauth_service.exe
  • xfilter.exe
  • zanda.exe
  • zapro.exe
  • zerospywarele.exe
  • zerospywarelite_installer.exe
  • zlclient.exe
  • zlh.exe
Information stealing

Win32/Spy.Gauss.A is a trojan that steals passwords and other sensitive information.


The trojan collects the following information:

  • computer name
  • operating system version
  • network adapter information
  • login passwords for certain applications/services
  • login user names for certain applications/services
  • information about the operating system and system settings
  • computer IP address
  • list of running processes
  • a list of recently visited URLs
  • cookies
  • Internet Explorer version
  • list of files/folders on specific drive
  • hardware information
  • the path to specific folders
  • network parameters

The collected information is stored in the following files:

  • %temp%\­~shw.tmp
  • %windir%\­temp\­~ZM6AD3.tmp
  • %drive%\­.thumbs.db
  • %temp%\­md.bak
  • %systemroot%\­Temp\­s61cs3.dat
  • %systemroot%\­Temp\­ws1bin.dat

The trojan attempts to send gathered information to a remote machine.

Spreading on removable media

The trojan may create copies of itself on removable drives.


The trojan may create the following files:

  • %drive%\­system32.dat (Win32/Spy.Gauss.A, 430080 B)
  • %drive%\­system32.bin (Win32/Spy.Gauss.A, 681984 B)
  • %drive%\­.Backup0%variable%\­target.lnk
  • %drive%\­.Backup0%variable%\­desktop.ini
  • %drive%\­.Backup00%variable%\­target.lnk
  • %drive%\­.Backup00%variable%\­desktop.ini

The %variable% is one of the following strings: "D", "E", "F", "G", "H", "I", "J", "K", "L", "M".

Other information

The trojan checks for Internet connectivity by trying to connect to the following addresses:

  • www.google.com
  • www.update.windows.com

The trojan may attempt to download files from the Internet.


The trojan contains a list of (4) URLs. The HTTPS protocol is used.


The trojan may create the following files:

  • %systemroot%\­fonts\­pldnrfn.ttf
  • %appdata%\­Mozilla\­firefox\­Profiles\­%profile%.default\­extensions\­{a288cad4-7b24-43f8-9f4d-8e156305a8bc}\­browser.js
  • %appdata%\­Mozilla\­firefox\­Profiles\­%profile%.default\­extensions\­{a288cad4-7b24-43f8-9f4d-8e156305a8bc}\­browser.xul
  • %appdata%\­Mozilla\­firefox\­Profiles\­%profile%.default\­extensions\­{a288cad4-7b24-43f8-9f4d-8e156305a8bc}\­fileio.js
  • %appdata%\­Mozilla\­firefox\­Profiles\­%profile%.default\­extensions\­{a288cad4-7b24-43f8-9f4d-8e156305a8bc}\­chrome.manifest
  • %appdata%\­Mozilla\­firefox\­Profiles\­%profile%.default\­extensions\­{a288cad4-7b24-43f8-9f4d-8e156305a8bc}\­lppd.dat
  • %appdata%\­Mozilla\­firefox\­Profiles\­%profile%.default\­extensions\­{a288cad4-7b24-43f8-9f4d-8e156305a8bc}\­install.rdf

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Fonts]
    • "Palida Narrow (TrueType)" = "pldnrfn.ttf"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Reliability]
    • "ShutdownInterval" = %variable1%
    • "TimeStampForUI" = %variable2%
    • "ShutdownInterval" = 44260
  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "WindowBuildVal" = %variable3%
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "EnableGateway" =0
  • [SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "SortDir" = 0

A string with variable content is used instead of %variable1-3% .


The trojan hooks the following Windows APIs:

  • NtQueryDirectoryFile (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.