Home / malware W32.Golroted
First posted on 18 November 2014.
Source: SymantecAliases :
There are no other names known for W32.Golroted.
Explanation :
When the worm is executed, it creates the following files: %UserProfile%\Application Data\Windows Update.exe%UserProfile%\Application Data\WindowsUpdate.exe%Temp%\SysInfo.txt%UserProfile%\Application Data\pid.txt %UserProfile%\Application Data\pidloc.txt%DriveLetter%\Sys.exe%DriveLetter%\autorun.inf
Next, the worm creates the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Update" = "%UserProfile%\Application Data\WindowsUpdate.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\Windows Update\DEBUG\"Trace Level" = ""
The worm then gathers the following computer information: Computer nameLocal date and timeInstalled languageOperating system Internal IP addressExternal IP addressInstalled firewallInstalled antivirus software
Next, the worm ends the following processes: taskmgr.execmd.exeregedit.exemsconfig.exe
The worm then gathers passwords from the following programs: Web browsersEmail accountsInternet Download ManagerJdownloaderMinecraft
The threat may then perform the following actions: Capture screenshotsLog keystrokesLog titles of open windowsGather clipboard dataSend data to specified email addresses, FTP servers, or web panelsDelete web browser cookiesDownload and execute filesVisit websitesBlock access to specific websites
The worm then copies itself to removable drives.Last update 18 November 2014
