Virusbuster
virus
Virus types
Virus encyclopedia
Hoaxes
How to realize an effective virus protection?
Virus toplist
Send virus samples
site search

database update
Our most recent downloadable database:
version:
10.100.16

date:
05. january 2009
Home ViruslabVirus news
TrojanSpy.Goldun.AQI
 Printer friendly version
Virus type:  Highly dangerous  High incidence Legend
First database version: 10.89.13  

The Trojan was spread by large volume spam campaigns. In Hungary it represents a special risk, because it leads the top list of malwares sent by spam in the system of popular Hungarian webmail provider, freemail.hu.

The spam e-mails held the next content:

Subject: Security Update for OS Microsoft Windows
Body:
Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.


Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.


The attachment of spam e-mails was the Trojan itself, which is an UPX packed dropper. During the first run it creates two files in the %system% folder (both of those files is recognized by VirusBuster solutions as "Trojan.Goldun.AQI").

vbagz.sys - length: 8,720 byte
gzipmod.dll - length: 22,016 byte

The malware creates a Winlogon hook registry entry for its "gzipmod.dll":

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Winlogon\Notify\gzipmod "" = gzipmod

The Trojan also creates a custom firewall rule in the registry in order to freely communicate over the internet, and injects it code onto the "svchost.exe" process.


The malware collects information - POP3, IMAP access data, information stored during web browsing, cookies - about the infected computer, and sends it to a predefined URL.
Printer friendly versionTop of page
publicationscareersvisitors agreementprivacy policycontact usindustry contactsawards