Virus:TR/Spy.Goldsteal.A
Date discovered:20/02/2007
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:31.232 Bytes
MD5 checksum:4a6f5f4468f69f43fcdb3ee1939dd1d5
VDF version:6.37.01.117
IVDF version:6.37.01.118 - Tuesday, February 20, 2007

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Steals information

 Files The following files are created:

– Non malicious files:
   • %SYSDIR%\gtalsmx.dll
   • %SYSDIR%\aimsmx.dll
   • %SYSDIR%\ymsgsmx.dll
   • %SYSDIR%\aosmx.dll
   • %SYSDIR%\comcb2.dll
   • %SYSDIR%\srvswc2.dll
   • %SYSDIR%\comcsi5.dll




It tries to download some files:

– The location is the following:
   • http://sweetymail.ru/**********
It is saved on the local hard drive under: %WINDIR% Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Small.DBY.AD.1


– The location is the following:
   • http://sweetymail.ru/**********
It is saved on the local hard drive under: %WINDIR%\mk.exe Furthermore this file gets executed after it was fully downloaded. Detected as: TR/Drop.KBRWS.A


– The location is the following:
   • http://sweetymail.ru/**********
It is saved on the local hard drive under: %WINDIR%\update.exe Furthermore this file gets executed after it was fully downloaded. Detected as: TR/Drop.Goldun.OM.2

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– A logging routine is started after a website is visited:
   • http://www.e-gold.com

 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Ernest Szocs on Monday, February 19, 2007
Description updated by Andrei Ivanes on Thursday, March 1, 2007

Back . . . .