Home / malwarePDF  

Goldun.CW


First posted on 01 March 2007.
Source: SecurityHome

Aliases :

Goldun.CW is also known as Trojan-Spy.Win32.Goldun.cw.

Explanation :

Goldun.CW is a trojan downloader that attempts to secretly download and execute a file from a malicious website.

See the Details section for more information.

criptionGoldun.CW comes as an FSG packed EXE file. It creates and opens the following Bitmap file to hide its original intent:


Note: This image is saved in the default Temporary folder as screen.bmp.

Goldun.CW drops the following UPX-compressed DLL file on Windows System folder:

  • %systemdir%mscods.dll
Note: %systemdir% by default is C:Windowssystem32.

The DLL file is installed as a Browser Helper Object (BHO) so that when ever an Internet Explorer session is started, the DLL will also execute. It does this by creating the following Registry keys:
  • [HKCRCLSID{45357971-2534-8760-3685-423479197575}]
  • [HKLMSOFTWAREClassesCLSID{45357971-2534-8760-3685-423479197575}]
The DLL will connect, download, and execute the file from the following URL:
  • http://everythingdiscounted.biz/store/images/extras/[REMOVED].jpg
The said URL is ecncrypted on the malware's body using a simple XOR routine.

It then drops a file named vbrs.bat into the default Temporary folder in order to delete the EXE file and the BAT file itself. This is done just to clean up some of the disorder created.

Last update 01 March 2007

 

TOP