Win32/Ghodow [Threat Name] go to Threat

Win32/Ghodow.NAG [Threat Variant Name]

Category trojan
Size 101968 B
Aliases Backdoor.Win32.Phanta.aq (Kaspersky)
  Trojan:Win32/Popureb.C (Microsoft)
  Trojan.Click1.37375 (Dr.Web)
Short description

Win32/Ghodow.NAG is a trojan that changes the home page of certain web browsers. Win32/Ghodow.NAG replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • C:\­smsc.exe (57856 B)
  • C:\­mb.exe (84992 B)
  • C:\­alg.exe (57856 B)
  • %system%\­hello_tt.sys (6656 B)
  • %appdata%\­Microsoft\­Internet Explorer\­Quick Launch\­Internet Explorer.IE
  • %desktop%\­Internet Explorer.IE

The trojan may create the following files:

  • %commonvideo%\­PulgFile.log
  • %commonvideo%\­al.ini

The trojan registers itself as a system service using the following name:

  • hello_tt

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Windows\­CurrentVersion\­Run]
    • "Alg" = "C:\­alg.exe"

Win32/Ghodow.NAG replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code, as well as placing additional code to load and patch the following files:

  • ntldr
  • ntkrnlpa.exe
  • beep.sys

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\­shell\­OpenHomePage\­Command]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe http://123.765%removed%.info"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{871C5380-42A0-1069-A2EA-08002B30309D}\­shell\­OpenHomePage\­Command]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe http://123.765%removed%.info"
  • [HKEY_CLASSES_ROOT\­CLSID\­{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\­shell\­OpenHomePage\­Command]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe http://123.765%removed%.info"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\­DefaultIcon]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{20D04FE0-3AEA-1069-A2D8-08002B30309D}\­shell\­open\­command]
    • "(Default)" = "Explorer.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\­shell\­OpenHomePage]
    • "(Default)" = "%value%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­IE\­shell\­open\­command]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe http://123.765%removed%.info"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­JE\­shell\­open\­command]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe http://123.765%removed%.info"
  • [HKEY_CLASSES_ROOT\­SOFTWARE\­IE\­shell\­open\­command]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe http://123.765%removed%.info"
  • [HKEY_CLASSES_ROOT\­SOFTWARE\­JE\­shell\­open\­command]
    • "(Default)" = "%programfiles%\­Internet Explorer\­iexplore.exe http://123.765%removed%.info"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­.IE]
    • "(Default)" = "IE"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­.JE]
    • "(Default)" = "JE"
  • [HKEY_CLASSES_ROOT\­SOFTWARE\­.IE]
    • "(Default)" = "IE"
  • [HKEY_CLASSES_ROOT\­SOFTWARE\­.JE]
    • "(Default)" = "JE"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­IE\­DefaultIcon]
    • "(Default)" = "shdoclc.dll,0"
  • [HKEY_CLASSES_ROOT\­SOFTWARE\­IE\­DefaultIcon]
    • "(Default)" = "shdoclc.dll,0"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­IE]
    • "(Default)" = "%value%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­JE]
    • "(Default)" = "%value%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­HideDesktopIcons\­ClassicStartMenu]
    • "{871C5380-42A0-1069-A2EA-08002B30309D}" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_HELLO_TT\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "hello_tt"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_HELLO_TT\­0000]
    • "Service" = "hello_tt"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "hello_tt"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_HELLO_TT]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­hello_tt\­Enum]
    • "0" = "Root\­LEGACY_HELLO_TT\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­hello_tt\­Security]
    • "Security" = %hexvalue%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­hello_tt]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 0
    • "ImagePath" = "%system%\­hello_tt.sys"
    • "DisplayName" = "hello_tt"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Default_Page_URL" = "http://123.765%removed%.info"
    • "Start Page" = "http://123.765%removed%.info"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­HideDesktopIcons\­ClassicStartMenu]
    • "{871C5380-42A0-1069-A2EA-08002B30309D}" = 2
    • "{871C5380-42A0-1069-A2EA-08002B30309D}.default" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­HideDesktopIcons\­ClassicStartMenu]
    • "{871C5380-42A0-1069-A2EA-08002B30309D}" = 2
    • "{871C5380-42A0-1069-A2EA-08002B30309D}.default" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­HideDesktopIcons\­NewStartPanel]
    • "{871C5380-42A0-1069-A2EA-08002B30309D}" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideFileExt" = 1
    • "Hidden" = 2
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Desktop\­NameSpace\­{450D8FBA-AD25-11D0-98A8-0800361B1103}]
    • "Removal Message" = "@mydocs.dll,-900"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Desktop\­NameSpace\­{645FF040-5081-101B-9F08-00AA002F954E}]
    • "(Default)" = "Recycle Bin"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Desktop\­NameSpace\­{e17d4fc0-5564-11d1-83f2-00a0c90dc849}]
    • "(Default)" = "Search Results Folder"

The following Registry entries are removed:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Desktop\­NameSpace\­{C42EB5A1-0EED-E549-91B0-153485866016}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Desktop\­NameSpace\­{20000000-0000-0000-0000-000000000000}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Desktop\­NameSpace\­{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{e17d4fc0-5564-11d1-83f2-00a0c90dc850}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{20000000-0000-0000-0000-000000000000}]
  • [HKEY_CLASSES_ROOT\­CLSID\­{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\­Instance\­InitPropertyBag]
    • "InitString" = "%value%"
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
  • collect information about the operating system used
  • send gathered information
  • update itself to a newer version

Please enable Javascript to ensure correct displaying of this content and refresh this page.