high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 29 January 2005 15:22:05 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Change any data that may have become compromised.
Windows 2000
You will first need to prevent use of the following registry entry, if it is present. Please read the warning about editing the registry.
- At the taskbar, click Start|Run. Type 'REGEDT32' and press Return. The registry editor opens.
- Before you edit the registry, you should make a backup. Select the 'HKEY_LOCAL_MACHINE on local machine' window. Select 'HKEY_LOCAL_MACHINE'. On the 'Registry' menu, click 'Save Subtree As'. Save the registry subtree as Backup.
- Select SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Select \<Trojan_entry>
- On the Security menu select 'Permissions'
- In 'Permissions for...' deselect 'Allow inheritable permissions from parent to propagate to this object'
- In the Security dialog, click 'Remove'
- Click 'OK'
- Click 'Yes' to deny everyone access to the key
- Close the registry editor.
Follow the Safe Mode with Command Prompt instructions for removing Trojans.
Re-open the registry editor to delete the Trojan registry entries.
- At the taskbar, click Start|Run. Type 'REGEDT32' and press Return. The registry editor opens.
- Select SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Select \<Trojan_entry>
- On the Security menu select 'Permissions'
- In 'Permissions for...' select 'Allow inheritable permissions from parent to propagate to this object'
- Click 'OK'
- On the Edit menu select 'Delete'
- Click 'Yes' to delete the key
- ****Select and delete any other necessary keys****
- Close the registry editor.
Windows XP/2003
You will first need to prevent use of the following registry entry, if it is present. Please read the warning about editing the registry.
- At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
- Before you edit the registry, you should make a backup. Select 'My Computer'. On the 'File' menu, click 'Export'. Save your registry as Backup.
- Select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Right-click '<Trojan_entry>'
- Select 'Permissions'
- In the 'Permissions for...' dialog, click 'Advanced'
- In the 'Advanced Security Settings for...' dialog, deselect 'Inherit from parent the permission entries that apply to child objects.'
- In the Security dialog, click 'Remove'
- Click 'OK'
- Click 'Yes' to deny everyone access to the key
- Click 'OK'
- Close the registry editor.
Follow the Safe Mode with Command Prompt instructions for removing Trojans.
Re-open the registry editor to delete the Trojan registry entries.
- At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
- Select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- Right-click '<Trojan_entry>'
- Select 'Permissions'
- In the 'Permissions for...' dialog, click 'Advanced'
- In the 'Advanced Security Settings for...' dialog, select 'Inherit from parent the permission entries that apply to child objects.'
- Click 'OK' twice
- Right-click '<Trojan_entry>'
- Select 'Delete'
- Click 'Yes' to delete the key
- ****Select and delete any other necessary keys****
- Close the registry editor.
More Information
Troj/Goldun-G is a password stealing Trojan that steals bank details and sends them to a remote intruder. Troj/Goldun-G is a password stealing Trojan that steals bank details and sends them to a remote intruder.
Usually the Trojan would be received by email with the filename FOTO.RAR. This is an archive file which contains a file starting FOTO.JPG followed by a large number of spaces and then an EXE extension. This file displays a pornographic image and drops a file called SVHOST.EXE to the Windows temp folder, also detected as Troj/Goldun-G.
SVHOST.EXE will then drop the main parts of the Trojan to the Windows system folder as IESPRT.SYS and LSD_F3.DLL, before creating a service called iesprt to run the SYS file on system startup and creating entries in the registry under the following key so as to run the DLL on system startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl
|
