Win32/Glupteba [Threat Name] go to Threat

Win32/Glupteba.M [Threat Variant Name]

Category trojan
Size 50682 B
Aliases Trojan-Downloader.Win32.Goo.ed (Kaspersky)
  TrojanDownloader:Win32/Carberp.R (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan creates the following files:

  • %localappdata%\­NVIDIA Corporation\­Update\­daemonupd.exe (19456 B)
  • %localappdata%\­Google\­Update\­gupdate.exe (19456 B)
  • %localappdata%\­Microsoft\­Windows\­winupdate.exe (19456 B)

The trojan registers itself as a system service using the following name:

  • nvUpdService

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "nvUpdService" = "%localappdata%\­NVIDIA Corporation\­Update\­daemonupd.exe"
    • "Google Update" = "%localappdata%\­Google\­Update\­gupdate.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­nvUpdService]
    • "Type" = 16
    • "Start" = 2
    • "ImagePath" = "%localappdata%\­NVIDIA Corporation\­Update\­daemonupd.exe /svc"
    • "DisplayName" = "NVIDIA Update Service"
    • "ObjectName" = "LocalSystem"
    • "Description" =  "NVIDIA Settings Update Manager service, used to check new updates from NVIDIA server."

The trojan creates the following file:

  • %commonstartup%\­winupdate.lnk

The file is a shortcut to a malicious file.

This causes the trojan to be executed on every system start.

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (40) URLs. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­NVIDIA Corporation\­Global\­nvUpdate]
    • "value" = "20110829"
    • "GUID" = "%variable%"
    • "svalue" = "%variable%"
  • [HKEY_CURRENT_USER\­Software\­NVIDIA Corporation\­Global\­nvUpdate]
    • "value" = "20110829"
    • "GUID" = "%variable%"
    • "svalue" = "%variable%"

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.