What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameTrojan.Spy.Goldun.axt
TypeTrojan
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum6BA40E29DB8FB6F9145FDE7A45708875
Static fileyes
Filesize34,931 Bytes
Alias names
(also known as)
SophosTroj/Meredrop-A
McAfeeSpy-Agent.bg
Side effects
  • Drops malicious files
  • Lowers security settings
  • Registry modification
  • Steals information
PropagationNo own spreading routine

Description:

Files

The following files are created:

– Non malicious file:
• %SYSDIR%\k86.bin

– %SYSDIR%\cabpck.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Spy.Goldun.axn

– %SYSDIR%\krnlcab.sys Further investigation pointed out that this file is malware, too. Detected as: Trojan.Rootkit.Gen




It tries to download a file:

– The location is the following:
• http://social-bos.biz/**********/data.php**********

Registry

The following registry key is added in order to run the process after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
krnlcab.sys]
• @="Driver"



One of the following values is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
cabpck]
• DllName=hex(2):%hex values% (cabpck.dll)
• Startup="cabpck"
• mpersonate=dword:00000001
• Asynchronous=dword:00000001
• MaxWait=dword:00000001
• a950="[FA5BF78BD77A4464E]"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\krnlcab]
• "Type"=dword:00000001
• "Start"=dword:00000001
• "ErrorControl"=dword:00000000
• "ImagePath"=hex(2):%hex values% (system32\krnlcab.sys)
• "DisplayName"="Cabinet Kernel Packer"

– [HKLM\SYSTEM\CurrentControlSet\Services\krnlcab\Security]
• "Security"=hex:%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\krnlcab\Enum]
• "0"="Root\\LEGACY_KRNLCAB\\0000"
• "Count"=dword:00000001
• "NextInstance"=dword:00000001



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List]
• "%executed file% "="%executed file% :*:Enabled:rundll32"




The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB]
• "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000]
• "Service"="krnlcab"
• "Legacy"=dword:00000001
• "ConfigFlags"=dword:00000000
• "Class"="LegacyDriver"
• "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• "DeviceDesc"="Cabinet Kernel Packer"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KRNLCAB\0000\
Control]
• "*NewlyCreated*"=dword:00000000
• "ActiveService"="krnlcab"

File details

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.