Goldun Trojan
Original issue date:
April
15, 2008
It has been observed that an information stealing Trojan called Goldun is spreading via email. It comes as an email attachment or as a malicious link inside the email body which pretends to appear from E-Gold online bank or from Yahoo Shopping. The “subject line” of the email entices users to open the attachment or visit the malicious link and install the trojan on their system.
Upon successful installation the Trojan opens a backdoor and steals confidential information such as usernames and passwords for financial accounts from the infected system and sends this information to the remote server which is under the control of the attacker. These stolen credentials are used for performing illegal online banking activities. Further the Trojan downloads additional malware onto the infected system.
It has been observed that variants of this trojan are spreading widely. The trojan variant contains a hidden process that steals personal information for financial accounts. It then sends this data to a remote server located at some location.
Variants: Trojan.Goldun.G [Symantec]
Aliases: TR/Spy.Goldun.CS.5 [Avira], Trj/Goldun.KX [Panda], Trojan-Spy.Win32.Goldun.cs [Kaspersky]
Typical e-mail contents are as follows:
From: E-gold
"IPod For Your" ipod4your@yahoo.com
Subject: Attention! E-gold service pack
MS Windows/Critical Error
Track your order
Body:
Dear User,
Please read the following message carefully.
We notify that your order was approved and shipped to you via FedEx 2Day
Service, track 792531968828.
The amount of $479.95 USD was recieved from your e-gold account.
The details of transaction and specification of chosen product we send you in self-extracting compressed-zip file.
Read it carefully to make sure that there's no mistakes in characteristics of chosen product.
We appreciate your choice!
According to the rules, refund must be based on your original method of payment.
Any requests to refund using e-gold are not accepted, if the payment method was credit card.
IPod For Your, Yahoo Shopping.
Attachment: setup.zip (contains the file setup.exe)
MsWindowsUpdate.rar (contains the file MsWindowsUpdate.exe)
OrderInfo69.exe
Upon execution,
the Trojan variant
:
- Copies itself as %Windir%\wmedia16.exe.
- Adds the value:
"Shell" = "%Windir%\wmedia16.exe"
to the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
- Monitors access to website “ www DOT e -gold DOT com “ and steals user's authentication information and adds the following strings in the address bar:
- e-gold.com/acct/acct.asp
- e-gold.com/acct/accountinfo.asp
- e-gold.com/acct/login.html
- Attempts to contact the following URLs to download further malware.
- http://udachufund.net/[Removed]/javascript/vlsi.jpg
- http://awstats/icon/[Removed]/next.php
In view of rapid propagation of the Goldun Trojan, users are advised to implement the following countermeasures:
- Do not click upon the links provided in untrusted email messages.
- Block access to the malicious domains mentioned above at gateway.
- Search for the malicious files and processes created/initiated by Goldun Trojan and delete the same.
- Search for the registry entries, made by the Goldun Trojan as mentioned and delete the same.
- Keep up-to-date patches and fixes on the operating system and application software.
- Keep up-to-date Antivirus and Antispyware signatures.
References
http://www.symantec.com/security_response/writeup.jsp?
docid=2005-010715-5330-99&tabid=2
http://vil.nai.com/vil/content/v_131189.htm
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
