Home / malware Trojan-Spy:W32/Goldun.RR
First posted on 08 October 2008.
Source: SecurityHomeAliases :
There are no other names known for Trojan-Spy:W32/Goldun.RR.
Explanation :
A type of trojan that includes a variety of spy programs and keyloggers.
right]Goldun.RR drops the following files:
- C:WINDOWSsystem32cabpck.dll
- C:WINDOWSsystem32krnlcab.sys
The file called cabpck.dll is detected as Trojan-Spy.Win32.Goldun.axn.
The file called krnlcab.sys is detected as Trojan-Spy.Win32.Goldun.axr.
The main file create this process and terminate itself:
- C:WINDOWSsystem32
undll32.exe cabpck.dll,cabpck
Network Communications
Goldun.RR attempts to connect to:
- social-bos.biz/jerken/data.php?trackid=706[...]
Registry
It creates a launch point using winlogon event:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifycabpck
DllName = cabpck.dll
Startup = cabpck
Impersonate = 00000001
Asynchronous = 00000001
MaxWait = 00000001
a950 = [2E09BF121A42171A6]
Goldun.RR registers itself as a service:
- HKLMSystemCurrentControlSetServiceskrnlcab
Type = 00000001
Start = 00000001
ErrorControl = 00000000
ImagePath = system32krnlcab.sys
DisplayName = Cabinet Kernel Packer- HKLMSystemCurrentControlSetServiceskrnlcabSecurity
Security = x01x00x14x80x90x00x00x00x9Cx00x00[...]
Creates this entry so that it will load during safe boot mode:
- HKLMSYSTEMCurrentControlSetControlSafeBootMinimalkrnlcab.sys
(default) = Driver
Adds its connection to the Windows firewall list so as by-pass it:
- HKLMSYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
C:WINDOWSsystem32
undll32.exe =
C:WINDOWSsystem32
undll32.exe:*:Enabled:rundll32Last update 08 October 2008
