1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Backdoor.Goldsun Activity

System Infected: Backdoor.Goldsun Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Backdoor.Goldsun activity on the infected system.

Additional Information

When the Trojan is executed, it creates the following files:

%System%\schmup.sys
%System%\spxroute.tmp


Next, the Trojan creates the following folder:
%System%\Plugins

The Trojan then creates the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{76891FC6-C786-11DD-CE70-0800B7B60147}\000\"Indeo" = "0"

The Trojan then connects to the following remote location:
avast.avstore.com.tw

If the Trojan cannot connect to this remote location, it will then connect to bz.kimoo.com.tw using the following hardcoded DNS servers:

212.118.243.118
216.52.184.230
218.16.121.32
61.145.112.78
63.251.83.36
64.74.96.242
69.251.142.1


The Trojan may then gather the following information:

Host name
MAC address
IP address
OS version
Language settings
Malware version
System directory
List of available drives


The Trojan may then perform the following actions:

Create a remote shell
Download and search for files
End itself

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube