Win32/Glupteba [Threat Name] go to Threat

Win32/Glupteba.M [Threat Variant Name]

Category	trojan
Size	50682 B
Aliases	Trojan-Downloader.Win32.Goo.ed (Kaspersky)
	TrojanDownloader:Win32/Carberp.R (Microsoft)

The trojan serves as a backdoor. It can be controlled remotely.

When executed, the trojan creates the following files:

The trojan registers itself as a system service using the following name:

In order to be executed on every system start, the trojan sets the following Registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "nvUpdService" = "%localappdata%\NVIDIA Corporation\Update\daemonupd.exe"
- "Google Update" = "%localappdata%\Google\Update\gupdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nvUpdService]
- "Type" = 16
- "Start" = 2
- "ImagePath" = "%localappdata%\NVIDIA Corporation\Update\daemonupd.exe /svc"
- "DisplayName" = "NVIDIA Update Service"
- "ObjectName" = "LocalSystem"
- "Description" = "NVIDIA Settings Update Manager service, used to check new updates from NVIDIA server."

The trojan creates the following file:

The file is a shortcut to a malicious file.

This causes the trojan to be executed on every system start.

After the installation is complete, the trojan deletes the original executable file.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (40) URLs. The HTTP protocol is used.

It may perform the following actions:

The trojan may set the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\nvUpdate]
- "value" = "20110829"
- "GUID" = "%variable%"
- "svalue" = "%variable%"
[HKEY_CURRENT_USER\Software\NVIDIA Corporation\Global\nvUpdate]
- "value" = "20110829"
- "GUID" = "%variable%"
- "svalue" = "%variable%"

A string with variable content is used instead of %variable% .