Upon first execution W32/Goldun.NL@dr drops the files svjvpn.sys, svkvpn.sys and svkvpn.dll into the %SYSDIR%. The dropped files are all detected as W32/Goldun.NL also.
Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
- Windows 95/98/Me - C:\Windows\System
- Windows NT/2000 - C:\Winnt\System32
- Windows XP - C:\Windows\System32
svjvpn.sys and svkvpn.sys are identical and were detected generically as W32/Goldun.gen3 prior to the signature detection. This is the rootkit component of the Trojan. It hides itself and svkvpn.dll from user mode filesystem access.
svkvpn.dll is the password-stealing component. It was detected generically prior to signature detection as W32/Goldun.gen1. It tries to steal the users passwords to Ebay, E-gold and Paypal accounts.
Creates the registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svkvpn]
and adds several values to it to make the file svkvpn.dll run at startup.
Creates the registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svjvpn]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svkvpn]
and adds several values and subkeys to them to make the files svjvpn.sys and svkvpn.sys execute at startup. However the path to svkvpn.sys is wrong so it will never be executed.
Adds subkeys to the registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
to make the above services run in safe mode. | 