TSPY_GOLROTED.ADT

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following non-malicious files:

• %Application Data%\pidloc.txt → contains full name and path of malware process
• %User Temp%\holdermail.txt
• %Application Data%\pid.txt → contains the process id of the malware process
• %User Temp%\Login Data <- deleted afterwards

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This spyware modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "1"

(Note: The default value data of the said registry entry is {User preference}.)

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware does not have any backdoor routine.

Information Theft

This spyware gathers the following data:

• Computer name
• Local Date and Time
• Installed Language
• .Net Version
• Operating System Platform
• Operating System Version
• Internal IP Address
• External Ip Address
• Installed Antivirus
• Installed Firewall
• Key logs
• Clipboard logs
• Computer Screenshot
• Account information from:
  • Bitcoin
  • Minecraft
  • Steam
  • RuneScape
  • Google Talk
  • Pidgin Messenger
  • Paltalk Messenger
  • Miranda Messenger
  • Windows Credential Manager

It attempts to steal stored email credentials from the following:

• Mozilla Thunderbird
• MS Outlook
• Windows Live Mail
• Yahoo! Mail
• IncrediMail
• Gmail
• Google Desktop Search Mail
• FoxMail

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Internet Explorer
• Firefox
• Google Chrome
• Opera Browser
• Apple Safari
• SeaMonkey Browser
• Flock Browser
• Chrome SXS Browser
• CoolNovo Browser
• Comodo Dragon Browser

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}.{BLOCKED}.212.64/WebPanel/log.php

It sends the data it gathers to the following email addresses via SMTP:

• {BLOCKED}s@alnasserstone.com

Other Details

This spyware connects to the following URL(s) to get the affected system's IP address:

• http://whatismyipaddress.com/
• http://dyn.com/dns/
• https://www.noip.com/