Home / malware Trojan.Guildma
First posted on 06 February 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Guildma.
Explanation :
The Trojan may be downloaded by other malware.
When the Trojan is executed, it creates the following files:
%ProgramData%Administrator\037guild.log%ProgramData%\Administrator\037vrxi.log%ProgramData%\Administrator\[Username]sys64.log[DRIVE LETTER]\Documents and Settings\Administrator\Local Settings\Temp\java_update35.vbs
The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v JavaAdministrator /t REG_SZ /d "regsvr32.exe /s ""c:\ProgramData\Administrator\[USERNAME]j.gif"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA: 0x00000000
The Trojan terminates if the system path contains any of the following strings:
abcxpabcxpbisonwoobrbrbbrbrbdhomeoffdfacjohnpcluserpcmalwareplaceholfasagatsakuratequilaboomboomvirusvmgclientzangief
The Trojan connects to the following remote locations:
dim.noticiadodiaxxxa.zzux.com[DOMAIN]/02/dsct.txt
Note: [DOMAIN] may be the following:
goldensystem23[SINGLE DIGIT].comgold37666.thaieasydns.comgold33666.thaieasydns.com[SINGLE DIGIT]masterxx0i0.com[TWO DIGITS]masterxx0i0.com)stoxyx12[SINGLE DIGIT].net
The Trojan steals the following information from the compromised computer and sends it to the remote attacker:
HostnameOriginal system path where the VBS file was executedOS versionOther system dataSystem localeVolume serial number
The Trojan may perform the following actions:
Capture screenshotsCollect email addresses from Outlook contactsCreate new desktop named lordc0d3Delete current user from HomeGroupDisable Windows User Account Control (UAC)Download a fileEnable Windows User Account Control (UAC)Execute a file using cmd.exeExecute svchost.exe and inject downloaded payloadLogout from certain websitesReboot the computerSwitch desktopsUpload a fileLast update 06 February 2016