Home / malware Trojan:Win32/Gitwen.A
First posted on 08 October 2010.
Source: SecurityHomeAliases :
Trojan:Win32/Gitwen.A is also known as Trojan.Win32.AntiAV.gvy (Kaspersky), Trojan.AntiAV.DRA (VirusBuster), TR/AntiAV.gvy (Avira), Trojan.MulDrop1.45486 (Dr.Web), Trojan.Win32.AntiAV (Ikarus), BackDoor.m (McAfee), BACKDOOR.Trojan (Symantec).
Explanation :
Trojan:Win32/Gitwen.A is a trojan that connects to a remote server to send information about the infected computer. It can also receive certain commands from the same server.
Top
Trojan:Win32/Gitwen.A is a trojan that connects to a remote server to send information about the infected computer. It can also receive certain commands from the same server. Installation Upon execution, Trojan:Win32/Gitwen.A creates the following mutex:abcdef Trojan:Win32/Gitwen.A drops itself as the following file:%ProgramFiles%\Common Files\console.exe It creates the following registry entry so that it automatically runs every time the computer starts: In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "Common" With data: "%ProgramFiles%\Common Files\console.exe" Trojan:Win32/Gitwen.A also creates the following file:%APPDATA%\OECD.txt Payload Connects to a remote server Trojan:Win32/Gitwen.A connects to the following server to send specific information: seoulsummit.dsmtp.com It attempts to send the following information about about the computer in which it is currently running: IP Address Windows version System volume serial number Trojan:Win32/Gitwen.A can also receive messages from the server to perform the following actions: Uninstall itself from the infected computer Upload a file from the infected computer Requests the malware to terminate itself
Analysis by Daniel RaduLast update 08 October 2010
