Trojan:Win32/Ghodow.A is a trojan that modifies the hard disk's MBR (Master Boot Record) and unhooks various SSDT entries. It downloads and executes arbitrary files from a remote host.
Trojan:Win32/Ghodow.A may consist of several components. When executed, it may drop the following files in the infected computer:
Downloads and executes arbitrary files
Trojan:Win32/Ghodow.A's component file "atixx.sys" injects the other component file "000000000" to a chosen process to download arbitrary files.
Modifies MBR (Master Boot Record)
Trojan:Win32/Ghodow.A's component file "atixx.sys" modifies the hard disk's MBR (Master Boot Record) and writes a loader portion directly to disk sectors.
Unhooks SSDT(System Service Descriptor Table) entries
Trojan:Win32/Ghodow.A unhooks the following SSDT entries, which may be used by security related software:
Trojan:Win32/Ghodow.A only attempts to affect Windows XP systems.
Analysis by Chun Feng
The following system changes may indicate the presence of this malware: