====== Goldun/Haxspy ====== ===== General ===== **Method of propagation:** * This is not a virus and does not contain any method to replicate. However this file may be downloaded by other viruses and/or Trojans to be installed on the user's system. **Platforms / OS:** * Windows 95 * Windows 98 * Windows 98 SE * Windows NT * Windows ME * Windows 2000 * Windows XP * Windows 2003 **Side effects:** * Drops malicious files * Registry modification * Steals information ===== Files ===== File: Install.exe Hash: 601b43c39f726d975f035cc98c146f99 This trojan may have any of the standard icon like Microsoft Word Document or JPEG Image. The following files are created: – %SYSDIR%\wndtx1.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Hash: bed399d56b82369eb7fb95caad16de04 Detected as: TR/Dldr.Bolol.A.4, PWS-Goldun (Password Stealer trojan) – %SYSDIR%\ipudpb2.sys Hash: 14ab6317620fb234c436f8114fab7f26 Detected as: TR/Spy.Haxspy.AE, BackDoor-BAC.sys (Remote Access trojan) ===== Registry ===== The following registry keys are added: – [HKLM\SYSTEM\CurrentControlSet\Control] * "isfr2"''"[%random character string%[%current username% ]" – [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ wndtx1] * "DllName"''wndtx1.dll * "Startup"''"wndtx1" * "Impersonate"''dword:00000001 * "Asynchronous"''dword:00000001 * "MaxWait"''dword:00000001 – [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2] * "Type"''dword:00000001 * "Start"''dword:00000001 * "ErrorControl"''dword:00000000 * "ImagePath"''\??\%SYSDIR%\IPUDPB2.SYS * "DisplayName"''"IP2 UDPB2" – [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Security] * "Security"''%hex values% – [HKLM\SYSTEM\CurrentControlSet\Services\ipudpb2\Enum] * "0"''"Root\\LEGACY_IPUDPB2\\0000" * "Count"''dword:00000001 * "NextInstance"''dword:00000001 The following registry key is changed: – [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager] Old value: * "PendingFileRenameOperations"''%hex values% New value: * "PendingFileRenameOperations"''%hex values% ===== Backdoor ===== **Contact server:** The following: * !http://www.salidol.biz/******************** As a result it may send information and remote control could be provided. This is done via the HTTP GET and POST method using a PHP script. **Sends information about:** * Current user * Collected information described in stealing section * Information about the Windows operating system ===== Stealing ===== It tries to steal the following information: – Passwords typed into 'password input fields' – A logging routine is started after one of the following websites are visited: * !http://www.e-gold.com * %any HTTPS website that contains a login form% – It captures: * Window information * Browser window * Login information ===== Injection ===== – It injects the following file into a process: %SYSDIR%\wndtx1.dll All of the following processes: * iexplore.exe * %all processes started after malware is active in memory% ===== Rootkit Technology ===== It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user. Hides the following: Method used: * Hidden from Windows API Hooks the following API functions: * NtCreateProcess * NtCreateProcessEx * ZwCreateProcess * ZwCreateProcessEx ===== File details ===== Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer: * FSG -- Main.FredPettis - 26 Mar 2009