Virus:TR/Nichgig
Date discovered:28/06/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:10.901 Bytes
MD5 checksum:62c776499583a39c3e613ead52e23c9c
VDF version:6.35.00.87
IVDF version:6.35.00.95 - Thursday, June 29, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Trojan.Gobrena
   •  Mcafee: PWS-Goldun.dr
   •  Kaspersky: Trojan-Spy.Win32.Goldun.mf
   •  F-Secure: Trojan-Spy.Win32.Goldun.mf
   •  VirusBuster: TrojanSpy.Goldun.LG
   •  Eset: Win32/Spy.Goldun.LX


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification
   • Steals information

 Files  It creates the following directory:
   • %TEMPDIR%\4185XXXX



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\4185XXXX\%number%.tmp

%SYSDIR%\hdtvu6.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Goldun.ME

%SYSDIR%\nkudpn1.sys Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Nichgig

 Registry The following registry keys are added in order to load the services after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\nkudpn1
   • "Type"=dword:00000001
   • "Start"=dword:00000001
   • "ErrorControl"=dword:00000000
   • "ImagePath"="\??\%SYSDIR%\nkudpn1.sys"
   • "DisplayName"="NKU UDPN1-01"

– HKLM\SYSTEM\CurrentControlSet\Services\nkudpn1\Enum
   • "0"="Root\LEGACY_NKUDPN1\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Services\nkudpn1\Security
   • "Security"=%hex values%



The following registry key is added:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   hdtvu6
   • "DllName"="hdtvu6.dll"
   • "Startup"="hdtvu6"
   • "Impersonate"=dword:00000001
   • "Asynchronous"=dword:00000001
   • "MaxWait"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Control
   • "isfr2"="[%number%[%current user%]"

 Backdoor Contact server:
The following:
   • www.proxyland.net/**********

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Collected information described in stealing section
    • Information about the Windows operating system

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– A logging routine is started after a website is visited:
   • https://www.e-gold.com/acct/login.html

– It captures:
    • Login information

 Injection –  It injects the following file into a process: %SYSDIR%\hdtvu6.dll

    Process name:
   • %all processes started after malware is active in memory%


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Teodor Onisor on Tuesday, September 19, 2006
Description updated by Teodor Onisor on Wednesday, September 20, 2006

Back . . . .