Home / malware

PDF

Trojan:Win32/Ghodow.A

First posted on 07 April 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Ghodow.A is also known as Trojan.Win32.KillAV.fqi (Kaspersky), Win32/Bvatik.A (CA), Win32/Dalixi.A (ESET), Trojan.Win32.Killav (Ikarus), Trojan.Win32.KillAV.csw (Rising AV), Trojan.Win32.Killav (Sunbelt Software), Trojan.Mebratix (Symantec), TROJ_KILLAV.AJF (Trend Micro).

Explanation :

Trojan:Win32/Ghodow.A is a trojan that modifies the hard disk's MBR (Master Boot Record) and unhooks various SSDT entries. It downloads and executes arbitrary files from a remote host.
Top

Trojan:Win32/Ghodow.A is a trojan that modifies the hard disk's MBR (Master Boot Record) and unhooks various SSDT entries. It downloads and executes arbitrary files from a remote host. InstallationTrojan:Win32/Ghodow.A may consist of several components. When executed, it may drop the following files in the infected computer:

%ProgramFiles%\msdn\atixx.sys - detected as VirTool:WinNT/Ghodow.A

%ProgramFiles%\msdn\atixi.sys - detected as VirTool:WinNT/Ghodow.B

%ProgramFiles%\msdn\000000000 - detected as TrojanDownloader:Win32/Ghodow.A

Payload Downloads and executes arbitrary filesTrojan:Win32/Ghodow.A's component file "atixx.sys" injects the other component file "000000000" to a chosen process to download arbitrary files. Modifies MBR (Master Boot Record)Trojan:Win32/Ghodow.A's component file "atixx.sys" modifies the hard disk's MBR (Master Boot Record) and writes a loader portion directly to disk sectors. Unhooks SSDT(System Service Descriptor Table) entriesTrojan:Win32/Ghodow.A unhooks the following SSDT entries, which may be used by security related software:

PsSetLoadImageNotifyRoutine

PsSetCreateProcessNotifyRoutine

PsSetCreateThreadNotifyRoutine

Additional informationTrojan:Win32/Ghodow.A only attempts to affect Windows XP systems.

Analysis by Chun Feng

Last update 07 April 2010

 

TOP