TrojanSpy:Win32/Goldun.ZZR is a password stealer that targets online financial institution user credentials. It has been observed being distributed in the wild attached to a spammed e-mail with the following characteristics:
Subject: Hello!
Body: Hello!
You know, everybody in the world has his or her halfs.
And what about you? Are you still alone and want to be
with your beloved girl? Then write me. Maybe, I`ll be the
one for you. I`m also looking for someone, who will love
and respect me. Maybe, him will be you? Do u like my photo?
So, if you are intrested and want to know me better, I`ll
wait for your letter with your photos.
Attachment: photo.scr
Installation
When executed, TrojanSpy:Win32/Goldun.ZZR drops the following files:
<system folder>\sms32bngbn.dll - DLL component
<system folder>\winsms.dll - plain text log file
<current folder>\preved.bat - batch script used for deleting the trojan's original executable.
The trojan modifies the registry so that its DLL is loaded:
Modifies value: AppInit_DLLs
With data: "<system folder>\sms32bngbn.dll"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
The trojan also makes the following additional registry modification:
Modifies value: PS
With data: "000"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\WinSMS\printcode\333316333316614884833316614884
Payload
Steals Sensitive Data
This trojan monitors connections to the following financial web sites and attempts to capture login credentials:
e-gold.com
bankofamerica.com
bankofthewest.com
mattweb.cfefcu.com
When sensitive information is captured, TrojanSpy:Win32/Goldun.ZZR attempts to send the details via FTP connection to a remote server.
Analysis by Hong Jia
