Home / malwarePDF  

Trojan:Win32/Glod.A


First posted on 12 June 2013.
Source: Microsoft

Aliases :

Trojan:Win32/Glod.A is also known as Troj/VB-GIL (Sophos), Trojan-FBZY!FC72F99795A0 (McAfee), W32/Luder.AECM!worm (other), Win32/Spy.VB.NSC (ESET), Trojan.Siggen5.20181 (Dr.Web), Worm.Win32.Luder.aecm (Kaspersky), W32/Trojan3.FFH (Command).

Explanation :



Installation

Trojan:Win32/Glod.A may use social engineering to convince you to install it on your computer. For example, we have seen it pretend to be a screen saver file image.scr. It may also be downloaded by other malware.

When run, the trojan drops and opens %TEMP%\chen-cus-seaport.xls in Microsoft Office Excel. This is a normal Excel file with some financial information. It is designed to cover the trojan while it installs. The trojan runs in the background once this excel file is open on the desktop.

The trojan then copies and runs itself as %ALLUSERPROFILE%\Common Files\openv.exe.

Trojan:Win32/Glod.A modifies the following registry entry to ensure that it runs each time you start your computer:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "openv"
With data: "%ALLUSERPROFILE%\Common Files\openv.exe"



Payload

Logs keystrokes

When run, Trojan:Win32/Glod.A monitors your keystrokes and active windows as you use your computer.

The trojan then sends this information to a remote attacker at sonunigam.us.

It creates the following registry entries to tell your computer where and when to send a file with your information to an attacker:

In subkey: HKCU\Software\VB and VBA Program Settings\C:\Documents and Settings\All Users\Common Files\babag
Sets value: "babag"
With data: "United States"

In subkey: HKCU\Software\VB and VBA Program Settings\C:\Documents and Settings\All Users\Common Files\htt
Sets value: "htt"
With data: "http://sonunigam.us/opt/mainpage.php"

In subkey: HKCU\Software\VB and VBA Program Settings\C:\Documents and Settings\All Users\Common Files\logss
Sets value: "logss"
With data: "<keylog record>"

In subkey: HKCU\Software\VB and VBA Program Settings\C:\Documents and Settings\All Users\Common Files\note
Sets value: "note"
With data: "enolove14.5"

In subkey: HKCU\Software\VB and VBA Program Settings\C:\Documents and Settings\All Users\Common Files\Settimess
Sets value: "Settimess"
With data: "60"

In subkey: HKCU\Software\VB and VBA Program Settings\C:\Documents and Settings\All Users\Common Files\textlogsss
Sets value: "textlogsss"
With data: "sunny2"

In subkey: HKCU\Software\VB and VBA Program Settings\C:\Documents and Settings\All Users\Common Files\Timess
Sets value: "Timess"
With data: "0"



Analysis by Steven Zhou

Last update 12 June 2013

 

TOP

Malware :

Family: