Virus:TR/Spy.Goldun.CI
Date discovered:11/10/2005
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:10.296 Bytes
MD5 checksum:AC5F9A4561DC118AD143CFF3331B9B4E
VDF version:6.32.00.77

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Kaspersky: Trojan-Spy.Win32.Goldun.ci


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification
   • Steals information

 Files It deletes the initially executed copy of itself.



The following file is created:

%SYSDIR%\msgalo.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Goldun.ci.2

 Registry The following registry keys are added:

– [HKCR\CLSID\{56262124-6251-5625-3072-548536364311}]
   • "plugin"=hex:5d,1e,6c,e2,d0,4c,ec,67,a1,51,5f,ee,28,94,69,3a,1c,bd,c1,91,8c,9f,\ 95,25,78,16,c4,f4,d7,b2,40,91,21,52,08,97,d2
   • "notify"=hex:5d,1e,6c,e2,d0,4c,ec,67,a1,51,5f,ee,28,94,69,3a,1c,bd,c1,91,8c,9f,\ 95,25,78,16,34,ec,df,c2,48,29,21,72,98,9f,da
   • "sbanker0001"=hex:5d,1e,6c,e2,d0,4c,ec,67,a1,51,5f,ee,28,94,69,3a,1c,bd,c1,91,\ 8c,9f,95,25,78,16,54,9c,0f,d2,60,41,21,52,f7,2f,0b
   • "form0001"=hex:5d,1e,6c,e2,d0,4c,ec,67,a1,51,5f,ee,28,94,69,3a,1c,bd,c1,91,8c,\ 9f,95,25,78,16,c4,04,07,4a,c0,93,f3,32,68,06
   • "tripp0001"=hex:5d,1e,6c,e2,d0,4c,ec,67,a1,51,5f,ee,28,94,69,3a,1c,bd,c1,91,8c,\ 9f,95,25,78,16,dc,14,0d,0a,38,61,52

– [HKCR\CLSID\{56262124-6251-5625-3072-548536364311}\InprocServer32]
   • @="%SYSDIR%\msgalo.dll"
   • "ThreadingModel"="Apartment"

 Backdoor Contact server:
The following:
   • http://hothosts.co.uk/**********/collect.php

This is done via the HTTP POST method using a PHP script.


Sends information about:
    • IP address
    • Collected information described in stealing section

 Stealing – A logging routine is started after a website is visited:
   • www.e-gold.com

– It captures:
    • Window information
    • Login information

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Andrei Gherman on Tuesday, October 11, 2005
Description updated by Andrei Gherman on Friday, October 14, 2005

Back . . . .