1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Goldsun Activity

System Infected: Backdoor.Goldsun Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects Backdoor.Goldsun activity on the infected system.

Additional Information

When the Trojan is executed, it creates the following files:


Next, the Trojan creates the following folder:

The Trojan then creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{76891FC6-C786-11DD-CE70-0800B7B60147}\000\"Indeo" = "0"

The Trojan then connects to the following remote location:

If the Trojan cannot connect to this remote location, it will then connect to bz.kimoo.com.tw using the following hardcoded DNS servers:

The Trojan may then gather the following information:

Host name
MAC address
IP address
OS version
Language settings
Malware version
System directory
List of available drives

The Trojan may then perform the following actions:

Create a remote shell
Download and search for files
End itself


  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube