Home / malwarePDF  

Trojan:Win32/Gitwen.A


First posted on 08 October 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Gitwen.A is also known as Trojan.Win32.AntiAV.gvy (Kaspersky), Trojan.AntiAV.DRA (VirusBuster), TR/AntiAV.gvy (Avira), Trojan.MulDrop1.45486 (Dr.Web), Trojan.Win32.AntiAV (Ikarus), BackDoor.m (McAfee), BACKDOOR.Trojan (Symantec).

Explanation :

Trojan:Win32/Gitwen.A is a trojan that connects to a remote server to send information about the infected computer. It can also receive certain commands from the same server.
Top

Trojan:Win32/Gitwen.A is a trojan that connects to a remote server to send information about the infected computer. It can also receive certain commands from the same server. Installation Upon execution, Trojan:Win32/Gitwen.A creates the following mutex:

  • abcdef
  • Trojan:Win32/Gitwen.A drops itself as the following file:
  • %ProgramFiles%\Common Files\console.exe
  • It creates the following registry entry so that it automatically runs every time the computer starts: In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "Common" With data: "%ProgramFiles%\Common Files\console.exe" Trojan:Win32/Gitwen.A also creates the following file:
  • %APPDATA%\OECD.txt
  • Payload Connects to a remote server Trojan:Win32/Gitwen.A connects to the following server to send specific information: seoulsummit.dsmtp.com It attempts to send the following information about about the computer in which it is currently running: IP Address Windows version System volume serial number Trojan:Win32/Gitwen.A can also receive messages from the server to perform the following actions: Uninstall itself from the infected computer Upload a file from the infected computer Requests the malware to terminate itself

    Analysis by Daniel Radu

    Last update 08 October 2010

     

    TOP