W32/Goldax-A

Aliases	P2P-Worm.Win32.Goldun.a PWS-Banker.ak
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Peer-to-peer
Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	12 September 2005 21:24:54 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

W32/Goldax-A is a Peer to Peer (P2P) worm with backdoor functionality for the Windows platform.

The worm contains a backdoor, which allows access to the infected computer. W32/Goldax-A is a Peer to Peer (P2P) worm with backdoor functionality for the Windows platform.

When run, W32/Goldax-A creates the files mcfCC4.dll and mcfdrv.sys in the Windows system folder and runs them. The worm also creates a folder named "User Local Files" in the Windows system folder and creates several copies of itself using the following filenames:

anal_sex_photos.exe
DrWEB_Key092007.exe
HACKER'S View 2.exe
julia_XXX_video.exe
Kaspersky_KEY08.exe
LAN_hacker_ver2.exe
Mozilla_1.9.927.exe
NAV_updates__05.exe
NAV2005_Keygen!.exe
NeT_KILLER_3.84.exe
NortonAntiVirus.exe
photoshop__2005.exe
ProfessionalICQ.exe
TheBat!7.51.256.exe
WindowsXP boost.exe
XXX_teens_16-18.exe

The worm contains a backdoor, which allows access to the infected computer on port 4050.

The worm steals account details and other confidential details from internet sessions to certain financial websites.

W32/Goldax-A may make the following changes to the system registry:

HKCU\Software\Kazaa\LocalContent
dir0
"012345:<Windows system folder>\User Local Files"

HKCU\Software\Kazaa\LocalContent
DlDir0
"<Windows system folder>\User Local Files"

HKCU\Software\Kazaa\Transfer
dir0
"012345:<Windows system folder>\User Local Files"

HKCU\Software\iMesh\Client\LocalContent
DlDir0
"<Windows system folder>\User Local Files"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfCC4
DllName
mcfCC4.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfCC4
Startup
"mcfCC4"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfCC4
Impersonate
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfCC4
Asynchronous
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfCC4
MaxWait
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfCC4
key4
"[34428292601721414630[<Computer Name>]"

HKLM\SYSTEM\CurrentControlSet\Services\mcfdrv
Type
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\mcfdrv
Start
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\mcfdrv
ErrorControl
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Services\mcfdrv
ImagePath
\??\<Windows system folder>\mcfdrv.sys

HKLM\SYSTEM\CurrentControlSet\Services\mcfdrv
DisplayName
"MCFservice"

HKLM\SYSTEM\CurrentControlSet\Services\mcfdrv\Security
Security

HKCU\Software\Kazaa\LocalContent
DisableSharing
dword:00000000

HKCU\Software\Kazaa\Transfer
DlDir0
"<Windows system folder>\User Local Files"

HKCU\Software\iMesh\Client\LocalContent
Dir0
"012345:<Windows system folder>\User Local Files"

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Goldax-A

Summary

Action

More Information