Virus:TR/PSW.PdP.CT.1.E.3
Date discovered:17/03/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:24.302 Bytes
MD5 checksum:741f81f6154bd5115028579dcb9da082
VDF version:6.34.00.61

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Kaspersky: Trojan-Spy.Win32.Goldun.iw
   •  VirusBuster: Rootkit.Agent.10
   •  Bitdefender: Trojan.Spy.Goldun.IW


Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Files The following files are created:

%SYSDIR%\axdebugl.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.GJ.1

%SYSDIR%\axdebugld.sys Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.PdP.CT.1.E.3

 Registry The following registry keys are added in order to load the services after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\axdebugld
   • "Type"=dword:00000001
   • "Start"=dword:00000001
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%SYSDIR%\axdebugl.sys"
   • "DisplayName"="OPENSSL cryptoapi"

– HKLM\SYSTEM\CurrentControlSet\Services\axdebugld\Security
   • "Security"=%hex values%

– HKLM\SYSTEM\CurrentControlSet\Services\axdebugld\Enum
   • "0"="Root\\LEGACY_AXDEBUGLD\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AXDEBUGLD
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AXDEBUGLD\0000
   • "Service"="axdebugld"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="OPENSSL cryptoapi"

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AXDEBUGLD\0000\
   Control
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="axdebugld"



The following registry key is added:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   axdebugl
   • "DllName"="axdebugl.dll"
   • "Startup"="axdebugl"
   • "Impersonate"=dword:00000001
   • "Asynchronous"=dword:00000001
   • "MaxWait"=dword:00000001
   • "nk48id"="[%hex number%]"

 Backdoor Contact server:
The following:
   • servername1.com/**********

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection. This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • Cached passwords
    • Collected information described in stealing section

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • Miranda
   • Internet Explorer
   • Mozilla
   • Maxthon
   • The Bat
   • Msn
   • Icq
   • Opera

– A logging routine is started after a website is visited:
   • e-gold.com

 Injection –  It injects the following file into a process: axdebugl.sys

    Process name:
   • explorer.exe


 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Sergiu Oprea on Monday, April 10, 2006
Description updated by Sergiu Oprea on Tuesday, April 11, 2006

Back . . . .