1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected : Trojan.Gamut Activity

System Infected : Trojan.Gamut Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Gamut activity on compromised computer.

Additional Information

When the Trojan is executed, it creates the following registry keys to register itself as a system service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"DisplayName" =
"WPUms"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"ErrorControl" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"ImagePath" =
"%CurrentFolder%\[ORIGINAL FILE NAME].exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"ObjectName" =
"LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"Start" = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\"Type" = "16"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPUms\Security\"Security" =
"[BINARY DATA]"
It then creates the following registry entries to register itself as a legacy
driver service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\"NextInstance
" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"Class"
= "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"ClassGU
ID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"ConfigF
lags" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"DeviceD
esc" = "WPUms"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"Legacy"
= "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WPUMS\0000\"Service
" = "WPUms"
It creates a service with the following file name when Windows starts up:
%CurrentFolder%\[ORIGINAL FILE NAME].exe
The Trojan then connects to the following URLs:
http://arondo.in.ua/?8080
http://dufoper.in.ua/?8080
http://retionolo.in.ua/?8080
http://serenaso.in.ua/?8080
http://toporung.in.ua/?8080
It performs the following commands sent from the compromised computer to the CnC server:
GetIP
GetPTR
GetSubscriptionEmailsBloc
GetSubscriptionContent
EmailsSent
SubscriptionBlockNotSent
Port25Open
Port25Close
The Trojan is able to send spam after retrieving email content and addresses from the CnC server.

Affected

  • Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube