Home / malwarePDF  

TrojanSpy:Win32/Gauss.A


First posted on 14 August 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Gauss.A is also known as Trojan-Spy.Win32.Gauss.wmiq (Kaspersky), Trojan.Gauss.7 (Dr.Web), Win32/Spy.Gauss.A trojan (ESET), PWS-Gauss (McAfee), W32/Gauss-A (Sophos), TSPY_GAUSS.EVL (Trend Micro), Gauss (other).

Explanation :



TrojanSpy:Win32/Gauss.A is a trojan that terminates certain system processes. It also loads other malware, which may already be installed in your computer.



Installation

TrojanSpy:Win32/Gauss.A is installed in your computer as one of the following files:

  • <system folder>\wbem\wmiqry32.dll
  • <system folder>\wbem\wmihlp32.dll


Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.



Payload

Terminates certain processes

TrojanSpy:Win32/Gauss.A checks for the following processes, and terminates them if found:

  • acs.exe
  • adoronsfirewall.exe
  • alertwall.exe
  • almon.exe
  • alsvc.exe
  • alupdate.exe
  • antihook.exe
  • app_firewall.exe
  • apvxdwin.exe
  • armorwall.exe
  • as3pf.exe
  • asr.exe
  • aupdrun.exe
  • authfw.exe
  • avas.exe
  • avcom.exe
  • avkproxy.exe
  • avkservice.exe
  • avktray.exe
  • avkwctl.exe
  • avkwctrl.exe
  • avmgma.exe
  • avtask.exe
  • aws.exe
  • backgroundscanclient.exe
  • bgctl.exe
  • bgnt.exe
  • blackd.exe
  • blackice.exe
  • blinksvc.exe
  • bootsafe.exe
  • bullguard.exe
  • cavapp.exe
  • cavasm.exe
  • cavaud.exe
  • cavcons.exe
  • cavemsrv.exe
  • cavmr.exe
  • cavmud.exe
  • cavoar.exe
  • cavq.exe
  • cavsn.exe
  • cavsub.exe
  • cavumas.exe
  • cavuserupd.exe
  • cavvl.exe
  • cdas17.exe
  • cdas2.exe
  • cdinstx.exe
  • cemrep.exe
  • clamd.exe
  • cmain.exe
  • cmdagent.exe
  • cmgrdian.exe
  • configmgr.exe
  • configuresav.exe
  • cpd.exe
  • csi-eui.exe
  • cv.exe
  • dcsuserprot.exe
  • dfw.exe
  • dlservice.exe
  • dltray.exe
  • dvpapi.exe
  • emlproui.exe
  • emlproxy.exe
  • endtaskpro.exe
  • espwatch.exe
  • ethereal.exe
  • fameh32.exe
  • fgui.exe
  • filedeleter.exe
  • filemon.exe
  • firewall.exe
  • firewall2004.exe
  • firewallgui.exe
  • fsma32.exe
  • fsrt.exe
  • fwsrv.exe
  • gateway.exe
  • hpf_.exe
  • iface.exe
  • instlsp.exe
  • invent.exe
  • ipatrol.exe
  • ipcserver.exe
  • ipctray.exe
  • kpf4gui.exe
  • kpf4ss.exe
  • licwiz.exe
  • livehelp.exe
  • lookout.exe
  • lpfw.exe
  • mpf.exe
  • mpfcm.exe
  • netcap.exe
  • netguard lite.exe
  • netguardlite.exe
  • netmon.exe
  • nstzerospywarelite.exe
  • oasclnt.exe
  • omnitray.exe
  • onaccessinstaller.exe
  • onlinent.exe
  • op_mon.exe
  • opf.exe
  • opfsvc.exe
  • outpost.exe
  • packetizer.exe
  • packetyzer.exe
  • pcipprev.exe
  • pctav.exe
  • pctavsvc.exe
  • pcviper.exe
  • persfw.exe
  • pfft.exe
  • pgaccount.exe
  • prevxcsi.exe
  • prifw.exe
  • privatefirewall 3.exe
  • privatefirewall3.exe
  • procguard.exe
  • procmon.exe
  • protect.exe
  • pxagent.exe
  • rawshark.exe
  • rdtask.exe
  • rtt_crc_service.exe
  • sab_wab.exe
  • sagui.exe
  • savadminservice.exe
  • savcleanup.exe
  • savcli.exe
  • savmain.exe
  • savprogress.exe
  • savservice.exe
  • scfmanager.exe
  • scfservice.exe
  • schedulerdaemon.exe
  • sdcdevcon.exe
  • sdcdevconia.exe
  • sdcdevconx.exe
  • sdcservice.exe
  • sdtrayapp.exe
  • siteadv.exe
  • sndsrvc.exe
  • sniffer.exe
  • snsmcon.exe
  • snsupd.exe
  • softact.exe
  • sp_rsser.exe
  • spfirewallsvc.exe
  • sppfw.exe
  • spybotsd.exe
  • spyhunter3.exe
  • spywareterminatorshield.exe
  • spywat~1.exe
  • ssupdate.exe
  • superantispyware.exe
  • tcpdump.exe
  • terminet.exe
  • tethereal.exe
  • thguard.exe
  • tppfdmn.exe
  • tscutynt.exe
  • tshark.exe
  • tzpfw.exe
  • umxagent.exe
  • umxtray.exe
  • updclient.exe
  • uupd.exe
  • uwcdsvr.exe
  • vcatch.exe
  • vdtask.exe
  • vsdesktop.exe
  • webwall.exe
  • windump.exe
  • winroute.exe
  • wireshark.exe
  • wwasher.exe
  • xauth_service.exe
  • xfilter.exe
  • zanda.exe
  • zerospywarele.exe
  • zerospywarelite_installer.exe
  • zlh.exe


Loads other malware

TrojanSpy:Win32/Gauss.A loads the following plug-ins, which may already be installed in your computer:

  • devwiz.ocx - detected as TrojanSpy:Win32/Gauss.plugin!A
  • dskapi.ocx - detected as TrojanSpy:Win32/Gauss.plugin!B
  • smdk.ocx - detected as TrojanSpy:Win32/Gauss.plugin!B
  • lanhlp32.ocx - detected as TrojanSpy:Win32/Gauss.plugin!C
  • mcdmn.ocx - detected as TrojanSpy:Win32/Gauss.plugin!D
  • windig.ocx - detected as TrojanSpy:Win32/Gauss.plugin!E
  • winshell.ocx - detected as TrojanSpy:Win32/Gauss.plugin!F


These plug-ins provide additional functionality for the malware family, including:

  • Spreading by exploiting the vulnerability resolved with the release of Microsoft Security Bulletin MS10-046
  • Stealing information about your computer, such as the operating system version, network interfaces and networking information, processes that are currently running, and disk information
  • Stealing stored usernames and passwords, as well as cookies




Analysis by Vincent Tiu

Last update 14 August 2012

 

TOP

Malware :

Family: