Win32/Spy.Goldun [Threat Name] go to Threat

Win32/Spy.Goldun.GU [Threat Variant Name]

Category trojan
Detection created Feb 09, 2006
Detection database version 1402
Short description

Win32/Spy.Goldun.GU is a trojan that steals passwords.

Installation

The following files are dropped into the %system% folder:

  • openglssd.sys
  • openglss.dll

The library openglss.dll is loaded and injected into the following process:

  • EXPLORER.EXE

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­openglss]
    • "DllName" = "openglss.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­openglss]
    • "Startup" = "openglss"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­openglss]
    • "Impersonate" = "1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­openglss]
    • "Asynchronous" = "1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­openglss]
    • "MaxWait" = "1"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­openglss\­nk48id]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­openglssd]
    • "Type" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­openglssd]
    • "Start" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­openglssd]
    • "ErrorControl" = "0"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­openglssd]
    • "ImagePath" = "\­??\­%system%\­openglssd.sys"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­openglssd]
    • "DisplayName" = "OPENGL technology access"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­openglssd\­Enum]
    • "0" = "Root\­LEGACY_OPENGLSSD\­0000"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­openglssd\­Enum]
    • "Count" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­openglssd\­Enum]
    • "NextInstance" = "1"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­openglssd\­Security]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%windir%\­Explorer.EXE" = "%windir%\­Explorer.EXE:*:Enabled:explorer"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Cache]
    • "Persistent" = "0"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_OPENGLSSD\­0000\­Control]
Information stealing

The trojan collects passwords used to access the following site:

  • https://www.e-gold.com

The trojan can send the information to a remote machine.

Other information

The trojan blocks access to the following sites:

  • avp.ch
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • downloads1.kaspersky-labs.com
  • downloads1.kaspersky-labs.com
  • downloads2.kaspersky-labs.com
  • avp.com
  • avp.ru
  • awaps.net
  • downloads3.kaspersky-labs.com
  • downloads4.kaspersky-labs.com
  • updates1.kaspersky-labs.com
  • updates1.kaspersky-labs.com
  • updates2.kaspersky-labs.com
  • virustotal.com
  • updates3.kaspersky-labs.com
  • d-ru-2f.kaspersky-labs.com
  • updates3.kaspersky-labs.com
  • updates4.kaspersky-labs.com
  • updates5.kaspersky-labs.com
  • downloads-us1.kaspersky-labs.com
  • downloads-us2.kaspersky-labs.com
  • downloads-us3.kaspersky-labs.com
  • engine.awaps.net
  • f-secure.com
  • ftp.avp.ch
  • ftp.downloads2.kaspersky-labs.com
  • ftp.f-secure.com
  • ftp.kasperskylab.ru
  • ftp.kaspersky.ru
  • d-ru-1f.kaspersky-labs.com
  • d-eu-1f.kaspersky-labs.com
  • rads.mcafee.com
  • d-eu-2f.kaspersky-labs.com
  • d-us-1f.kaspersky-labs.com
  • ftp.sophos.com
  • ids.kaspersky-labs.com
  • kaspersky.com
  • kaspersky-labs.com
  • liveupdate.symantec.com
  • kaspersky.ru
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • networkassociates.com
  • phx.corporate-ir.net
  • securityresponse.symantec.com
  • service1.symantec.com
  • sophos.com
  • spd.atdmt.com
  • symantec.com
  • trendmicro.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com

Please enable Javascript to ensure correct displaying of this content and refresh this page.