Follow:

 

Trojan:WinREG/Gowfi.A


Trojan:WinREG/Gowfi.A is part of Win32/Gowfi, a multi-component trojan family that attempts to redirect web browsing from certain sites to phishing webpages for the purpose of harvesting logon credentials. This malware adds five fake certificates to Windows trusted root certificate authorities.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:WinREG/Gowfi.A is part of Win32/Gowfi, a multi-component trojan family that attempts to redirect web browsing from certain sites to phishing web pages for the purpose of harvesting logon credentials. This malware adds five fake certificates to Windows trusted root certificate authorities.
Installation
This malware is installed by Win32/Gowfi.
 
Payload
Disables UAC
When run, it attempts to disable the UAC (User Account Control) on Windows Vista and Windows 7.
 
Adds fake certificates
Trojan:WinREG/Gowfi.A adds five fake CAs (Certificate Authorities) to list of "trusted root Certification Authorities". The list includes fake certs for the following web domains:
  • www2.realsecureweb.com.br
  • www.realsecureweb.com.br
  • www.santandernet.com.br
  • www2.bancobrasil.com.br
  • aapj.bb.com.br
 
Below is a view of the added certificates:
 
 
Analysis by Chun Feng

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.105.313.0
Latest detected by definition: 1.117.2303.0 and higher
First detected on: May 23, 2011
This entry was first published on: May 27, 2011
This entry was updated on: Jul 22, 2013

This threat is also detected as:
No known aliases