Troj/Goldun-CW

Aliases	Trojan-Spy.Win32.Haxspy.w Win32/Spy.Goldun.GU
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	August 2006 (4.08)
Protection available since	14 June 2006 13:52:18 (GMT)
Detected by	All Sophos products

Troj/Goldun-CW is a password stealing Trojan for the Windows platform.

Troj/Goldun-CW targets cached passwords, and passwords stored in the registry.

When Troj/Goldun-CW is installed the following files are created:

<System>\bt848rom.dll
<System>\ksl48.bin
<System>\m32lock.sys

The file m32lock.sys is detected as Troj/Haxdor-Gen.

The following registry entries are created to run code exported by bt848rom.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bt848rom
DllName
bt848rom.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bt848rom
Startup
bt848rom

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bt848rom
Impersonate
1

Troj/Goldun-CW may modify an infected systems hosts file.

Get reports about the latest virus and spyware threats delivered to your computer