Analysis by: Francis Xavier Antazo
ALIASES:

TrojanSpy:MSIL/Golroted.B (MICROSOFT), a variant of MSIL/PSW.Agent.NEX trojan (NOD32)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Via removable drives, Downloaded from the Internet, Dropped by other malware

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

Payload: Steals information

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %Application Data%\Windows Update.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

  • %Application Data%\pid.txt
  • %Application Data%\pidloc.txt
  • %User Temp%\SysInfo.txt
  • %User Temp%\screens\screenshot1.jpeg

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

  • %Application Data%\WindowsUpdate.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {Removable Drive Letter}:\Sys.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=Sys.exe
action=Run win32

Information Theft

This worm gathers the following data:

  • CD Key
  • Product Key
  • Serial Number
  • malware process id
  • malware path
  • original malware path
  • hostname
  • Screenshots
  • Keyboard Logs
  • Clipboard Logs
  • System Time
  • Internal Language
  • Operating System
  • Internal IP
  • External IP
  • AntiVirus Installed
  • Firewall Installed
  • Current Active Window

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • whatismyipaddress.com

NOTES:

It access the following SMTP server in preparation to send its stolen information:

  • {BLOCKED}p.mail.ru

It steals passwords from the following:

  • Browsers
  • Messaging Applications
  • Internet Download Manager
  • Jdownloader
  • Minecraft

It steals passwords from the following messaging and email applications:

  • Microsoft Outlook
  • Mozilla Thunderbird
  • IncrediMail
  • Eudora
  • Yahoo! Mail
  • Google Talk
  • Gmail Notifier
  • MSN Messenger
  • Windows Live Mail
  • Miranda Messenger

It steals passwords from the following browsers:

  • Firefox
  • Internet Explorer
  • Chrome
  • CHrome SxS
  • Opera
  • Apple Safari
  • SeaMonkey

It disables the following processes:

  • taskmgr.exe
  • Taskmgr.exe
  • regedit.exe
  • msconfig.exe
  • cmd.exe

It gathers the cd keys, product keys and serial numbers from the following registries:


HKEY_LOCAL_MACHINE\Software\Ubisoft\Splinter Cell Pandora Tomorrow
HKEY_LOCAL_MACHINE\Software\Ubisoft\Splinter Cell Chaos Theory\Keys
HKEY_LOCAL_MACHINE\Software\Activision\Call of Duty
HKEY_LOCAL_MACHINE\Software\Activision\Call of Duty United Offensive
HKEY_LOCAL_MACHINE\Software\Activision\Call of Duty 2
HKEY_LOCAL_MACHINE\Software\Activision\Call of Duty 4
HKEY_LOCAL_MACHINE\Software\Activision\Call of Duty WAW
HKEY_LOCAL_MACHINE\Software\THQ\Dawn of War
HKEY_LOCAL_MACHINE\Software\THQ\Dawn of War - Dark Crusade
HKEY_LOCAL_MACHINE\Software\SEGA\Medieval II Total War
HKEY_LOCAL_MACHINE\Software\Adobe\Golive\5.0\Registration
HKEY_LOCAL_MACHINE\Software\ahead\Installation\BAK\Nero 7\Info
HKEY_LOCAL_MACHINE\Software\ACD Systems\PicaView
HKEY_LOCAL_MACHINE\Software\Eugen Systems\ActOfWa
HKEY_LOCAL_MACHINE\Software\Adobe\Photoshop\7.0\Registration
HKEY_LOCAL_MACHINE\Software\Elcom\Advanced PDF Password Recovery\Registration
HKEY_LOCAL_MACHINE\Software\Elcom\Advanced PDF Password Recovery Pro\Registration
HKEY_LOCAL_MACHINE\Software\Elcom\Advanced ZIP Password Recovery
HKEY_LOCAL_MACHINE\Software\Sunflowers\Anno 1701
HKEY_LOCAL_MACHINE\Software\ashampoo\Ashampoo WinOptimizer Platinum 3
HKEY_LOCAL_MACHINE\Software\@stake\LC5\Registration
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Battlefield 1942
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Battlefield 1942 Secret Weapons of WWII
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Battlefield 2
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Battlefield 2142
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Battlefield Vietnam
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Black and White
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Boulder Dash Rocks
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Burnout Paradise
HKEY_LOCAL_MACHINE\Software\TechSmith\Camtasia Studio\4.0
HKEY_LOCAL_MACHINE\Software\Techland\Chrome
HKEY_LOCAL_MACHINE\Software\Codec Tweak Tool
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Command and Conquer Generals Zero Hour
HKEY_LOCAL_MACHINE\Software\Westwood\Red Alert 2
HKEY_LOCAL_MACHINE\Software\Westwood\Red Alert
HKEY_LOCAL_MACHINE\Software\Westwood\Tiberian Sun
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Command and Conquer 3
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Electronic Arts\Command and Conquer 3
HKEY_LOCAL_MACHINE\Software\THQ\Company of Heroes
HKEY_LOCAL_MACHINE\Software\Valve\Counter-Strike\Settings
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Electronic Arts\Crysis
HKEY_LOCAL_MACHINE\Software\CyberLink\PowerDVD
HKEY_LOCAL_MACHINE\Software\CyberLink\PowerBar
HKEY_LOCAL_MACHINE\Software\CyberLink\PowerProducer\3.0\UserReg
HKEY_LOCAL_MACHINE\Software\Valve\Day of Defeat\Settings
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 University
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 NightLife
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 Open For Business
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 Pets
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 Seasons
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 Glamour Life Stuff
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 Celebration Stuff
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 H M Fashion Stuff
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 Family Fun Stuff
HKEY_LOCAL_MACHINE\Software\DVD Audio Extractor\Settings
HKEY_LOCAL_MACHINE\Software\Sierra\Empire Earth II
HKEY_LOCAL_MACHINE\Software\Sierra\CDKey
HKEY_LOCAL_MACHINE\Software\F-Secure\BackWeb\iLauncher
HKEY_LOCAL_MACHINE\Software\CRYTEK\FARCRY\UBI.COM
HKEY_LOCAL_MACHINE\Software\CRYTEK\FARCRY2\UBI.COM
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA SPORTS\FIFA 2002
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA SPORTS\FIFA 2003
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA SPORTS\FIFA 2004
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA SPORTS\FIFA 2005
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA SPORTS\FIFA 07
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Electronic Arts\FIFA 08
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Distribution\Freedom Force
HKEY_LOCAL_MACHINE\Software\THQ\Frontlines: Fuel of War Beta
HKEY_LOCAL_MACHINE\Software\THQ\Frontlines: Fuel of War
HKEY_LOCAL_MACHINE\Software\Headlight\GetRight
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Global Operations
HKEY_LOCAL_MACHINE\Software\Valve\Gunman
HKEY_LOCAL_MACHINE\Software\Valve\Half-Life\Setting
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Hellgate: London
HKEY_LOCAL_MACHINE\Software\Illusion Softworks\Hidden & Dangerous 2
HKEY_LOCAL_MACHINE\Software\IGI 2 Retail\CDKey
HKEY_LOCAL_MACHINE\Software\Ahead\InCD
HKEY_LOCAL_MACHINE\Software\JoWood\InstalledGames\IG2
HKEY_LOCAL_MACHINE\Software\AVConverter\iPod Converter
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\James Bond 007 Nightfire
HKEY_LOCAL_MACHINE\Software\3d0\Status Legents of Might and Magic
HKEY_LOCAL_MACHINE\Software\Macromedia\Flash\7\Registration
HKEY_LOCAL_MACHINE\Software\Macromedia\Fireworks\7\Registration
HKEY_LOCAL_MACHINE\Software\Macromedia\Dreamworks\7\Registration
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Madden NFL 07
HKEY_LOCAL_MACHINE\Software\JSG\Matrix Saver V2
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Medal of Honor Airborne
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Breakthrough
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Spearhead
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Medal of Honor: Heroes 2
HKEY_LOCAL_MACHINE\Software\mIRC
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\Nascar Racing 2002
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\Nascar Racing 2003
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\NHL 2002
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\NBA LIVE 2003
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\NBA LIVE 2004
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\NBA LIVE 07
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\NBA LIVE 08
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Electronic Arts\Need for Speed Carbon
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Need for Speed Hot Pursuit 2
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Need for Speed Most Wanted
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Electronic Arts\Neeed for Speed ProStreet
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Need For Speed Underground
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Need For Speed Underground 2
HKEY_LOCAL_MACHINE\Software\Ahead\nero - Burning Rom\Info
HKEY_LOCAL_MACHINE\Software\Nero\Installation\Families\Nero 7\Info
HKEY_LOCAL_MACHINE\Software\Nero\Installation\Families\Nero 8\Info
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA SPORTS\NHL 2003
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA SPORTS\NHL 2004
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA SPORTS\NHL 2005
HKEY_LOCAL_MACHINE\Software\Westwood\Nox
HKEY_LOCAL_MACHINE\Software\OnlineTCPlayer\RegInfo
HKEY_LOCAL_MACHINE\Software\O&O\O&O Degrag\8.0\Pro\Licenses
HKEY_LOCAL_MACHINE\Software\PowerQuest\PartitionMagic\8.0\UserInfo
HKEY_LOCAL_MACHINE\Software\Passware\Encryption Analyzer\1\Registration,License
HKEY_LOCAL_MACHINE\Software\Passware\Windows Key 7\Registration
HKEY_LOCAL_MACHINE\Software\CyberLink\PowerDVD
HKEY_LOCAL_MACHINE\Software\EnTech\PowerStrip
HKEY_LOCAL_MACHINE\Software\KONAMI\PES2008
HKEY_LOCAL_MACHINE\Software\Red Storm Entertainment\RAVENSHIELD
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Shogun Total War - Warlord Edition
HKEY_LOCAL_MACHINE\Software\Ataru\Sid Meier's Pirates!
HKEY_LOCAL_MACHINE\Software\Ubisoft\SILE HUNTER III\Keys
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Maxis\ Sim City 4 Deluxe
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Maxis\ Sim City 4
HKEY_LOCAL_MACHINE\Software\Network Associates, Inc.\Sniffer Pro\4.5\USER
HKEY_LOCAL_MACHINE\Software\Silver Style Entertainment\Soldiers of Anarchy
HKEY_LOCAL_MACHINE\Software\GSC Game World\STALKER-SHOC
HKEY_LOCAL_MACHINE\Software\LucasArts\Star Wars battlefront II\1.0
HKEY_LOCAL_MACHINE\Software\LucasArts\Star Wars battlefron4 II\1.1
HKEY_LOCAL_MACHINE\Software\Steganos\SIAVPN
HKEY_LOCAL_MACHINE\Software\THQ\Gas Powered Games\Supreme Commander
HKEY_LOCAL_MACHINE\Software\Sierra\CDKEY
HKEY_LOCAL_MACHINE\Software\TechSmith\SnagIt\8
HKEY_LOCAL_MACHINE\Software\TexasCalc\License
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Battle for MiddelEarth
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Orange Box
HKEY_LOCAL_MACHINE\Software\Pagsys,Inc.\TMPGenc DVD Author\1.0
HKEY_LOCAL_MACHINE\Software\TuneUp\Utilities\6.0
HKEY_LOCAL_MACHINE\Software\TuneUp\Utilities\7.0
HKEY_LOCAL_MACHINE\Software\TuneUp\Utilities\8.0
HKEY_LOCAL_MACHINE\Software\Nullsoft\Winamp
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Sims\The Sims 3\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\Sims\The Sims 2\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 Family Fun Stuff\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 Glamour Life Stiff\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 Nightlife\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\The Sims 2 University\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\SPORT(TM)\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA GAMES\Mirror's Edge\ergc
HKEY_LOCAL_MACHINE\Software\ACTIVISION\Call of Duty
HKEY_LOCAL_MACHINE\Software\ACTIVISION\Call of Duty2
HKEY_LOCAL_MACHINE\Software\ACTIVISION\Call of Duty WAW
HKEY_LOCAL_MACHINE\Software\Valve\Half-Life\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Games\Halo
HKEY_LOCAL_MACHINE\Software\Valve\CounterStrike\Settings
HKEY_LOCAL_MACHINE\Software\Rockstar Games\Grand Theft Auto IV
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA SPORTS\FIFA 09\ergc
HKEY_LOCAL_MACHINE\Software\KONAMI\PES2009
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Games\Dead Space\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Games\Battlefield 2 Special Forces\ergc
HKEY_LOCAL_MACHINE\Software\Activision\Transformers2
HKEY_LOCAL_MACHINE\Software\Rockstar GAmes\Bully Scholarshop Edition
HKEY_LOCAL_MACHINE\Software\AHEAD\NERO BURNING ROM
HKEY_LOCAL_MACHINE\Software\AHEAD\INSTALLATION\FAMILIES\NERO 7\INFO
HKEY_LOCAL_MACHINE\Software\AHEAD\INSTALLATION\FAMILIES\NERO 8\INFO
HKEY_LOCAL_MACHINE\Software\NERO\SHARED\FAMILIES\NL9
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\FIFA 08\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\FIFA 07\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\FIFA 2005\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\FIFA 2004\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\FIFA 2003\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Sports\FIFA 2002\ergc
HKEY_LOCAL_MACHINE\Software\Electronic Arts\EA Games\The Orange Box

  SOLUTION

Minimum Scan Engine: 9.750

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.  
  • %UserTemp%\SysInfo.txt
  • %Application Data%\pid.txt
  • %Application Data%\pidloc.txt
  • %User Temp%\screens\screenshot1.jpeg (screenshot)

Step 4

Search and delete AUTORUN.INF files created by WORM_GOLROTED.DAM that contain these strings

[ Learn More ]
[autorun] open=Sys.exe action=Run win32

Step 5

Scan your computer with your Trend Micro product to delete files detected as WORM_GOLROTED.DAM. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.