Home / malware Backdoor.Goldsun
First posted on 13 August 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Goldsun.
Explanation :
When the Trojan is executed, it creates the following files: %System%\schmup.sys%System%\spxroute.tmp
Next, the Trojan creates the following folder:
%System%\Plugins
The Trojan then creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{76891FC6-C786-11DD-CE70-0800B7B60147}\000\"Indeo" = "0"
The Trojan then connects to the following remote location:
avast.avstore.com.tw
If the Trojan cannot connect to this remote location, it will then connect to bz.kimoo.com.tw using the following hardcoded DNS servers: 212.118.243.118216.52.184.230218.16.121.3261.145.112.7863.251.83.3664.74.96.24269.251.142.1
The Trojan may then gather the following information: Host nameMAC addressIP addressOS versionLanguage settingsMalware versionSystem directoryList of available drives
The Trojan may then perform the following actions: Create a remote shellDownload and search for filesEnd itselfLast update 13 August 2014
