FRISK Software International


Summary of W32/Goldun.NL@dr
Discovered: 16 Oct 2006
Definition files: 16 Oct 2006
Risk Level: Medium
Distribution:Medium
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Goldun.NL@dr is a self-hiding password-stealing Trojan. It drops two components: a dynamically linked library which steals personal information from the infected system and a rootkit component which tries to make detection and removal of the malware harder.


Technical Description
Upon first execution W32/Goldun.NL@dr drops the files svjvpn.sys, svkvpn.sys and svkvpn.dll into the %SYSDIR%. The dropped files are all detected as W32/Goldun.NL also.

Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
  • Windows 95/98/Me - C:\Windows\System
  • Windows NT/2000 - C:\Winnt\System32
  • Windows XP - C:\Windows\System32

svjvpn.sys and svkvpn.sys are identical and were detected generically as W32/Goldun.gen3 prior to the signature detection. This is the rootkit component of the Trojan. It hides itself and svkvpn.dll from user mode filesystem access.

svkvpn.dll is the password-stealing component. It was detected generically prior to signature detection as W32/Goldun.gen1. It tries to steal the users passwords to Ebay, E-gold and Paypal accounts.

Creates the registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svkvpn]

and adds several values to it to make the file svkvpn.dll run at startup.

Creates the registry keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svjvpn]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svkvpn]

and adds several values and subkeys to them to make the files svjvpn.sys and svkvpn.sys execute at startup. However the path to svkvpn.sys is wrong so it will never be executed.

Adds subkeys to the registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]

to make the above services run in safe mode.


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is