Win32/Gudra [Threat Name] go to Threat
Win32/Gudra.A [Threat Variant Name]
| Category | trojan |
| Size | 72704 B |
| Detection created | Oct 21, 2015 |
| Detection database version | 12444 |
| Aliases | Trojan-Dropper.Win32.Agent.sbcr (Kaspersky) |
| Trojan:Win32/Gudra.A (Microsoft) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.
Installation
When executed, the trojan copies itself into the following location:
- %windir%\system32\Mp%variable1%.dll
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpK%variable2%]
- "ErrorControl" = 1
- "Group" = "System Reserved"
- "ImagePath" = "%windir%\system32\Mp%variable1%.dll"
- "Start" = 0
- "Type" = 1
This causes the trojan to be executed on every system start.
The following Registry entries are set:
- [REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
- "Version" = 65589
- "Identity" = "%variable3%"
A string with variable content is used instead of %variable1-3% .
After the installation is complete, the trojan deletes the original executable file.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The UDP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
The trojan may create and run a new thread with its own program code within any running process.
The trojan hides its presence in the system. It uses techniques common for rootkits.