Cart
Trojan.Banker.LCG( Trojan-Spy.Win32.Goldun.axt, Trojan.Goldun, Win32/Spy.Goldun.NDJ, Trojan:Win32/Agent.PX )
SYMPTOMS: There is no obvious symptom because of the rootkit capabilities of this malware. It could occasionally contain an empty file with the extension ".bin" in the %system32% folder (k86.bin).If you scan with an anti-rootkit tool you might find these files :
TECHNICAL DESCRIPTION: When present on the affected computer and executed, it drops 2 files :
"krnlcab.sys" driver runs as a service and has a protective role for the other malware components, hiding its files and registry keys. It runs as a service by creating this registry key : * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\DisplayName [data: Cabinet Kernel Packer] * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\ErrorControl [data: dword:00000000] * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\ImagePath [data: system32\krnlcab.sys.)] * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\Start [data: dword:00000001] * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\Type [data: dword:00000001] * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\Security\(Default) [data: (value not set)] * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\krnlcab\Security\Security [data: %hex numbers%] It also creates these keys so the driver starts in safe mode. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\krnlcab.sys (Default) Driver HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\krnlcab.sys (Default) Driver The dynamic-link library (cabpck.dll) is ran at startup by creating these keys: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck Asynchronous dword:00000001 * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck DllName hex(2):%hex numbers% (cabpck.dll) * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck Impersonate dword:00000001 * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck MaxWait dword:00000001 * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck Startup cabpck * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck a950 [712AEDAB17C74BC73] It adds an exception to the firewall by creating this value %system32%\rundll32.exe in the following key: "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" . This is done in order for the dll to be executed trough legitimate rundll.exe without any pop-ups from the firewall. It tries to steal passwords by accessing the following registry keys SOFTWARE\Microsoft\Internet Account Manager\Accounts, HKEY_CURRENT_USER\Software\RIT\The Bat! which holds encrypted private data of the user. Usually, it has a "command center" of the following form: http://[malware_website].(biz|ru). The website might be different, but the actions are similar. The communication with the server is done trough a script on the website. It can run multiple jobs for an infected system. It can download and execute a file (example a XP Antivirus rogue clone), update windows host file ( %system32%\drivers\etc\hosts ) and other administrative commands for the malware on the infected computer. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Daniel Chipiristeanu, virus researcher |
