Home / malwarePDF  

Trojan.Gotalon


First posted on 03 April 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Gotalon.

Explanation :

Once executed, the Trojan copies itself to the following location:
%UserProfile%\Start Menu\Programs\Startup\ChipUtil.exe
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\"Service" = "BITS"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\"Legacy" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\"DeviceDesc" = "Background Intelligent Transfer Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\"ConfigFlags" = "0"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\"Class" = "LegacyDriver"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\"NextInstance" = "1"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup\"BITS_metadata" = "%AllUsersProfile%\Application Data\Microsoft\Network\Downloader\*\00\00"HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\CtlGuid\"Guid" = "4a8aaa94-cfc4-46a7-8e4e-17bc45608f0a"HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\CtlGuid\"BitNames" = " LogFlagInfo LogFlagWarning LogFlagError LogFlagFunction LogFlagRefCount LogFlagSerialize LogFlagDownload LogFlagTask LogFlagLock LogFlagService LogFlagDataBytes LogFlagTransferDetails"HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\"LogSessionName" = "stdout"HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\"ControlFlags" = "1"HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\"Active" = "1"HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\BITS\"StateIndex" = "1"
Next, the Trojan may gather system information, such as operating system and processor type, and send it to the following remote location:
109.123.93.215
The Trojan uses the following user agent in HTTP traffic:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0
The Trojan may then perform the following actions on the compromised computer:
Create .tmp filesExecute files

Last update 03 April 2015

 

TOP