This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects activity of W32.Golroted.
When executed, the worm copies itself as the following files:
%UserProfile%\Application Data\Windows Update.exe
Next, the worm creates the following files:
%UserProfile%\Application Data\pid.txt (the content is process ID of the worm)
%UserProfile%\Application Data\pidloc.txt(the content is path of running worm process)
Then the threat sends the execution confirmation and infected computer information to specified email address or FTP server or Web panel:
computer information includes:
Local Date and Time
Internal IP Address
External IP Address
It then kills the following processes:
It then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Update" = "%UserProfile%\Application Data\WindowsUpdate.exe"
The worm then creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\Windows Update\DEBUG\"Trace Level" = ""
It takes screen shots, logs keystrokes, logs titles of windows in focus and logs data in the clipboard, then it sends them to specified email address or FTP server or Web panel
Then it recovers and gathers passwords for:
Internet Download Manger
then it sends gathered passwords to specified email address or FTP server or Web panel
It then creates the following file on all removable drives:
It then creates the following file so that it runs when the above drives are accessed:
Depending on the configuration, it can also do the followings:
delete web browser cookies
download file from the specified link to %temp% folder and run it
visit specified website
block access to specified websites by adding entries to %WINDOWS%\system32\Drivers\Etc\Host: