Win32/Gudra [Threat Name] go to Threat

Win32/Gudra.A [Threat Variant Name]

Category trojan
Size 72704 B
Detection created Oct 21, 2015
Detection database version 12444
Aliases Trojan-Dropper.Win32.Agent.sbcr (Kaspersky)
  Trojan:Win32/Gudra.A (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.


When executed, the trojan copies itself into the following location:

  • %windir%\­system32\­Mp%variable1%.dll

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­MpK%variable2%]
    • "ErrorControl" = 1
    • "Group" = "System Reserved"
    • "ImagePath" = "%windir%\­system32\­Mp%variable1%.dll"
    • "Start" = 0
    • "Type" = 1

This causes the trojan to be executed on every system start.

The following Registry entries are set:

  • [REGISTRY\­MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "Version" = 65589
    • "Identity" = "%variable3%"

A string with variable content is used instead of %variable1-3% .

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The UDP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan may create and run a new thread with its own program code within any running process.

The trojan hides its presence in the system. It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.