Trojan-Spy.Win32.Goldun.ij

From Total Malware Info

Jump to: navigation, search

Trojan program that steals confidential information from user’s machine. It is Windows PE EXE-file. Original file is 14 619 bytes in size, packed with FSG. Unpacked size is ~127 kb. Written in Assembler.

Installation

Drops the following file from own executable:

  • %System%\fpuext.dll

Creates the following registry entries: For Windows 9x : 

[HKLM\System\CurrentControlSet\Control\MPRServices\TestService]
DllName=”extfpu.dll”
EntryPoint=”extfpu”
StackSize=0

For Windows NT : 

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\extfpu]
Asynchronous=1
DllName=”extfpu.dll”
Impersonate=1
MaxWait=1
Startup=”extfpu”

which allows dropped files to be automatically launched every time the windows starts.

Payload

Creates the following registry value: 

[HKLM\SYSTEM\CurrentControlSet\Control]
pcnume

Gets the list of system processes and injects dropped file extfpu.dll into all active processes. While injected, DLL performs the following actions:

Regenerates file

  • %System%\fpuext.sys when it is deleted.

Hooks the following API functions for the processes that being injected to:

  • Wininet.InternetOpenA
  • Wininet.InternetReadFile
  • Wininet.InternetConnectA
  • Wininet.HttpOpenRequestA
  • Wininet.InternetQueryDataAvailable

Using installed hooks trojan controls user’s actions while working in internet with the following domain:

Using hook for HttpOpenRequestA trojan scans the URL requests for the text below:

  • acct/bal.asp
  • acct/ai.asp
  • acct/spen*.asp
  • AccountID=
  • Pass

If such text was found trojan extracts values entered in web-form with id: AccountID and Pass. if URL contains text:

  • PIN
  • gen3.asp

then InternetReadFile handler inserts into HTML-code, received from server additional HTML form “Login confirmation” with field “Turing”. The value of this field is then extracted by trojan. Trojan periodically opens the following URLs: 

www.e-***d.com/acct/balance.asp
www.e-***d.com/acct/confirm.asp?PAY_IN=8888&WORTH_OF=Gold&Payee_Account=<a> &PAYMENT_ID=<b>

Where <a> and <b> are values sniffed from the hooked URL requests. All gathered by Trojan data is stored in file

  • %System%\sendday.dat

and then is sent to malefactor’s email.

Removal Instructions

  1. Delete the original trojan file
  2. Delete the following registry keys: 
    [HKLM\System\CurrentControlSet\Control\MPRServices\TestService]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\extfpu]
Retrieved from "http://www.totalmalwareinfo.com/eng/Trojan-Spy.Win32.Goldun.ij"
Language
© 2010 "Design and Test Lab", LLC. All rights reserved.