1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Golroted Activity 7

System Infected: W32.Golroted Activity 7

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects activity of W32.Golroted.

Additional Information

When executed, the worm copies itself as the following files:
%UserProfile%\Application Data\Windows Update.exe
%UserProfile%\Application Data\WindowsUpdate.exe

Next, the worm creates the following files:
%Temp%\SysInfo.txt
%UserProfile%\Application Data\pid.txt (the content is process ID of the worm)
%UserProfile%\Application Data\pidloc.txt(the content is path of running worm process)


Then the threat sends the execution confirmation and infected computer information to specified email address or FTP server or Web panel:
computer information includes:
Computer Name
Local Date and Time
Installed Language
Operating System
Internal IP Address
External IP Address
Installed Firewall
Installed Antivirus


It then kills the following processes:
taskmgr.exe
cmd.exe
regedit.exe
msconfig.exe


It then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Update" = "%UserProfile%\Application Data\WindowsUpdate.exe"

The worm then creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\Windows Update\DEBUG\"Trace Level" = ""

It takes screen shots, logs keystrokes, logs titles of windows in focus and logs data in the clipboard, then it sends them to specified email address or FTP server or Web panel

Then it recovers and gathers passwords for:
Web Browser
Mail Message
Internet Download Manger
Jdownloader
Minecraft
then it sends gathered passwords to specified email address or FTP server or Web panel

It then creates the following file on all removable drives:
%DriveLetter%\Sys.exe

It then creates the following file so that it runs when the above drives are accessed:
%DriveLetter%\autorun.inf

Depending on the configuration, it can also do the followings:
delete web browser cookies
download file from the specified link to %temp% folder and run it
visit specified website
block access to specified websites by adding entries to %WINDOWS%\system32\Drivers\Etc\Host:
[website] 127.0.0.1

Affected

  • Windows.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube