Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Goldun


Destructivity Unknown UNKNOWN
Payload Steals information
Detection files published
Description created 16 Apr 2010 02:02:00
Description updated 16 Apr 2010 02:02:00
Malware type TROJAN
Alias Trojan-Spy.Win32.Goldun (Kaspersky)
Trojan.Spy.Goldun (BitDefender)
Spreading mechanism UNKNOWN



Some samples download new variants of the trojan from malicious web sites, others drop copies that were appended or otherwise embedded inside the parent executable. Dynamic Link Library (DLL) files for installation as BHOs were also dropped. Rootkit was also involved to hide the malicious files and folder entries.
One of the latest variants of this trojan family used a new method for the trigger. Not a single registry key was changed or created to reference another file or create the typical BHO entry. In fact, this variant didn’t even remain memory resident long after execution. Instead, the variant patched the Internet Explorer executable iexplore.exe. The patch ensured that a previously dropped trojan DLL component would be executed every time the compromised Internet Explorer application was launched.

Payload Details



[ DetectionInfo ] * Filename: C:\Documents and Settings\norman\Desktop\malware.exe. * Sandbox name: W32/Horst.gen31.dropper. * Signature name: NOT_SCANNED. * Compressed: YES. * TLS hooks: NO. * Executable type: Application. * Executable file structure: OK. * Filetype: PE_I386. [ General information ] * File might be compressed. * Decompressing Unk3!FSG?. * Accesses executable file from resource section. * Drops files in %WINSYS% folder. * Creating several executable files on hard-drive. * File length: 25377 bytes. * MD5 hash: e24b4a52b7df30eff2e9c256ff138148. * Packer detection: FSG v2.0. [ Changes to filesystem ] * Creates file C:\WINDOWS\TEMP\xcqwdhe.exe. * Creates file C:\WINDOWS\SYSTEM32\msgalo.dll. * Creates file C:\WINDOWS\TEMP\sdfw.bat. * Deletes file "C:\WINDOWS\TEMP\xcqwdhe.exe". * Deletes file "C:\WINDOWS\TEMP\sdfw.bat". [ Changes to registry ] * Creates key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}". *Creates key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}\InprocServer32". * Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}\InprocServer32". * Sets value "default"="C:\WINDOWS\SYSTEM32\msgalo.dll" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}\InprocServer32". * Sets value "p"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}". * Sets value "n"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}". * Sets value "s"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}". * Sets value "f"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}". * Sets value "t"="]\x1el\xe2\xd0L\xecg\xa1Q_\xee(\x94i:\x1c\xbd\xc1\x91\x8c\x9f\x95" in key "HKCR\CLSID\{56262124-6251-5625-3072-548536364311}". * Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56262124-6251-5625-3072-548536364311}". [ Process/window information ] * Creates a dialogbox with caption "". * Buttons found in dialogbox: id1[4,131]"Install" id2[205,131]"Close" . * Creates process "xcqwdhe.exe". * Pressing button with id 1 "Install". * Attemps to open C:\WINDOWS\TEMP\sdfw.bat NULL. * Creates process "CMD.EXE"". [ Signature Scanning ] * C:\WINDOWS\SYSTEM32\msgalo.dll (9728 bytes) : W32/Horst.gen31.


Lumension's antivirus products are in general able to remove all malicious software that is detected. Some malware variants, however, use techniques that the general product does not remove sufficiently. We have therefore developed the free product Lumension Malware Cleaner. Please use the latest version of this program from the link below if your Lumension antivirus is unable to clean the infection.

Last Updated: 12 Nov 2015 11:06:11