GOLDCASH
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware, Spammed via email
GOLDCASH, also known as OFICLA, is a malware family of Trojans. It downloads notorious malware such as TDSS, FAKEAV, and ZEUS.
Some GOLDCASH variants arrive in spammed email disguised as a Microsoft Office file attachment. These variants download another downloader malware.
TECHNICAL DETAILS
Yes
Downloads files
Installation
This Trojan drops the following copies of itself into the affected system:
- %System%\calc.ifo
- %System%\tapi.nfo
- %User Temp%\{number}.tmp
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Autostart Technique
This Trojan modifies the following registry entries to ensure it automatic execution at every system startup:
HKLM\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe rundll32.exe tapi.nfo beforeglav"
(Note: The default value data of the said registry entry is "explorer.exe".)
HKLM\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe rundll32.exe calc.ifo beforemain"
(Note: The default value data of the said registry entry is "explorer.exe".)
Other System Modifications
This Trojan adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
idid
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
idid
idid = "{value}"
Download Routine
This Trojan accesses the following websites to download files:
- http://{BLOCKED}.{BLOCKED}.113.210/dir/b.php
- http://{BLOCKED}redov.ru/mld/se.php
- http://{BLOCKED}restanis.com/mld/se.php