Home / malwarePDF  

Trojan.Gamut


First posted on 11 March 2014.
Source: Symantec

Aliases :

There are no other names known for Trojan.Gamut.

Explanation :

When the Trojan is executed, it creates the following registry keys to register itself as a system service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"DisplayName" = "WPUms"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"ErrorControl" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"ImagePath" = "%CurrentFolder%\[ORIGINAL FILE NAME].exe"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"ObjectName" = "LocalSystem"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"Start" = "2"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"Type" = "16"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\Security\"Security" = "[BINARY DATA]"It then creates the following registry entries to register itself as a legacy
driver service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\"NextInstance" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"ConfigFlags" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"DeviceDesc" = "WPUms"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"Legacy" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"Service" = "WPUms"It creates a service with the following file name when Windows starts up:
%CurrentFolder%\[ORIGINAL FILE NAME].exeThe Trojan then connects to the following URLs:
http://arondo.in.ua/?8080http://dufoper.in.ua/?8080http://retionolo.in.ua/?8080http://serenaso.in.ua/?8080http://toporung.in.ua/?8080It performs the following commands sent from the compromised computer to the C&C server:
GetIPGetPTRGetSubscriptionEmailsBlocGetSubscriptionContentEmailsSentSubscriptionBlockNotSentPort25OpenPort25CloseThe Trojan is able to send spam after retrieving email content and addresses from the C&C server.

Last update 11 March 2014

 

TOP