TSPY_GAUSS.A | Low Risk | Trend Micro Threat Encyclopedia

Export page to PDF

TSPY_GAUSS.A

Aliases: W32.Gauss (Symantec); Trojan-Spy.Win32.Gauss (Kaspersky)
Malware type: Spyware
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003
Encrypted: Yes
In the wild: Yes

Overall Risk Rating:

Low

System Impact Rating:

High

Information Exposure Rating:

High

Reported Infection:

Low

Overview

Infection Channel: Downloaded from the Internet, Dropped by other malware

This spyware is designed to steal system-related information and gather banking, social networking, email and instant messaging (IM) credentials. It is believed to be used in targeted attacks aimed at Middle East entities.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It retrieves specific information from the affected system.

It connects to certain websites to send and receive information. It terminates if the said processes exist. This is to ensure that it runs uninterrupted on the affected system.

Technical Details

File size: Varies
File type: DLL
Memory resident: Yes
Initial samples received date: 10 Aug 2012
Payload: Connects to URLs/IPs, Drops files

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following non-malicious files:

%User Temp%\~shw.tmp - log file
%User Temp%\~gdl.tmp - log file
%User Temp%\~mdk.tmp - log file
%User Temp%\md.bak - log file
%Windows%\system\Temp\s61cs3.dat - log file
%Windows%\temp\~ZM6AD3.tmp - log file
%User Temp%\ws1bin.dat - log file
%Windows%\Fonts\pldnrfn.ttf - font file

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

ShellHWDetectionMutex

Autostart Technique

This spyware modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\CLSID\{CLSID}\
InProcServer32
(Default) = "%System%\wbem\wmihlp32.dll"

(Note: The default value data of the said registry entry is %system32%\wbem\wbemsvc.dll.)

Other System Modifications

This spyware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Reliability
TimeStampForUI = "{data}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Reliability
ShutdownIntervalSnapshotUI = "{data}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Reliability
ShutdownInterval = "{data}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Fonts
Palida Narrow (TrueType) = "pldnrfn.ttf"

Information Theft

This spyware retrieves the following information from the affected system:

CMOS information
BIOS information
Computer name
Domain account information
Operating System Version
Workstation information
Available drives
Driectories under %Program Files% folder
IE version
Environment variables
Network adapter information
Routing table
Disk information
Running Processes
Available Microsoft SQL servers
URL cache
Available network shares
Proxy configuration

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

www.google.com
www.update.windows.com

It connects to the following website to send and receive information:

{BLOCKED}.{BLOCKED}.45.115
{BLOCKED}.{BLOCKED}.166.116
{BLOCKED}mputeradvisor.com
{BLOCKED}nction.org
{BLOCKED}advisor.info
{BLOCKED}7.com
{BLOCKED}access.net
{BLOCKED}ity.net

It checks for the presence of the following process(es):

abcd.exe
acs.exe
adoronsfirewall.exe
alertwall.exe
ALMon.exe
ALsvc.exe
alupdate.exe
AntiHook.exe
app_firewall.exe
apvxdwin.exe
armorwall.exe
as3pf.exe
asr.exe
aupdrun.exe
authfw.exe
avas.exe
avcom.exe
AVKProxy.exe
avkservice.exe
AVKTray.exe
AVKWCtl.exe
avkwctrl.exe
avmgma.exe
avp.exe
avtask.exe
aws.exe
backgroundscanclient.exe
bgctl.exe
bgnt.exe
blackd.exe
blackice.exe
blinksvc.exe
bootsafe.exe
bullguard.exe
CavApp.exe
cavasm.exe
CavAUD.exe
CavCons.exe
CavEmSrv.exe
Cavmr.exe
CavMud.exe
Cavoar.exe
CavQ.exe
CavSn.exe
CavSub.exe
CavUMAS.exe
CavUserUpd.exe
Cavvl.exe
cdas17.exe
cdas2.exe
cdinstx.exe
CEmRep.exe
clamd.exe
CMain.exe
cmdagent.exe
cmgrdian.exe
configmgr.exe
configuresav.exe
cpd.exe
csi-eui.exe
CV.exe
DCSUserProt.exe
dfw.exe
dlservice.exe
dltray.exe
dvpapi.exe
emlproui.exe
emlproxy.exe
endtaskpro.exe
espwatch.exe
Ethereal.exe
fameh32.exe
fch32.exe
fgui.exe
filedeleter.exe
filemon.exe
firewall.exe
firewall2004.exe
firewallgui.exe
fsar32.exe
fsav32.exe
fsdfwd.exe
fsgk32.exe
fsgk32st.exe
fsguidll.exe
fshdll32.exe
fsm32.exe
fsma32.exe
fsmb32.exe
fsorsp.exe
fspc.exe
fsqh.exe
fsrt.exe
fssm32.exe
fsus.exe
fwsrv.exe
gateway.exe
GDFirewallTray.exe
GDFwSvc.exe
GDScan.exe
gsava.exe
gssm32.exe
hpf_.exe
iface.exe
InstLsp.exe
invent.exe
ipatrol.exe
ipcserver.exe
ipctray.exe
kpf4gui.exe
kpf4ss.exe
licwiz.exe
livehelp.exe
lookout.exe
lpfw.exe
mpf.exe
mpfcm.exe
Netcap.exe
Netguard Lite.exe
netguardlite.exe
Netmon.exe
nstzerospywarelite.exe
oasclnt.exe
omnitray.exe
OnAccessInstaller.exe
onlinent.exe
op_mon.exe
opf.exe
opfsvc.exe
outpost.exe
Packetizer.exe
Packetyzer.exe
pcipprev.exe
pctav.exe
pctavsvc.exe
pcviper.exe
persfw.exe
pfft.exe
pgaccount.exe
prevxcsi.exe
prifw.exe
privatefirewall 3.exe
privatefirewall3.exe
procguard.exe
procmon.exe
protect.exe
pxagent.exe
rawshark.exe
RDTask.exe
rtt_crc_service.exe
sab_wab.exe
sagui.exe
SAVAdminService.exe
savcleanup.exe
savcli.exe
savmain.exe
savprogress.exe
SavService.exe
scfmanager.exe
scfservice.exe
schedulerdaemon.exe
sdcdevcon.exe
sdcdevconIA.exe
sdcdevconx.exe
sdcservice.exe
sdtrayapp.exe
siteadv.exe
sndsrvc.exe
Sniffer.exe
snsmcon.exe
snsupd.exe
SoftAct.exe
sp_rsser.exe
spfirewallsvc.exe
sppfw.exe
spybotsd.exe
SpyHunter3.exe
spywareterminatorshield.exe
spywat~1.exe
ssupdate.exe
SUPERAntiSpyware.exe
Tcpdump.exe
terminet.exe
Tethereal.exe
THGuard.exe
tppfdmn.exe
tscutynt.exe
tshark.exe
tzpfw.exe
umxagent.exe
umxtray.exe
updclient.exe
UUpd.exe
uwcdsvr.exe
VCATCH.EXE
vdtask.exe
VSDesktop.exe
vsmon.exe
webwall.exe
Windump.exe
winroute.exe
Wireshark.exe
wwasher.exe
xauth_service.exe
xfilter.exe
ywareterminatorshield.exe
zanda.exe
zapro.exe
zerospywarele.exe
zerospywarelite_installer.exe
zlclient.exe
zlh.exe

It terminates if the said processes exist. This is to ensure that it runs uninterrupted on the affected system.

NOTES:

This spyware uses the following components, all of which are detected as TSPY_GAUSS.A:

%System%\devwiz.ocx
%System%\dskapi.ocx
%System%\lanhlp32.ocx
%System%\mcdmn.ocx
%System%\smdk.ocx
%System%\wbem\wmihlp32.ocx
%System%\wbem\wmiqry32.ocx
%System%\windig.ocx
%System%\winshell.ocx

It checks if it is loaded by LSASS.EXE. If it is, it proceeds with the installation. If not, it proceeds with its main routine.

It creates the following events:

ShellHWStop
Global\ShellHWDetectionEvent

It writes a random binary data in the following registry key that will be used to create the file pldnrfn.ttf:

HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
ShutdownInterval = "{random binary data }"

This spyware is capable of stealing the following information:

User credentials related to online banking, social networking, email and instant messaging
Browsing history
Cookies and passwords

It installs a Firefox plugin detected as JS_GAUSS.A in order to aid in its information stealing routine.

This spyware drops the following components in removable drives:

System32.dat - also detected as TSPY_GAUSS.A
System32.bin - also detected as TSPY_GAUSS.A
thumbs.db - log file

It also creates the following folders to removable drives:

.Backup0{character}
.Backup00{character}

It then drops the following autostart components which exploits CVE-2010-2568:

desktop.ini
target.lnk

Solution

Minimum scan engine: 9.200
First VSAPI Pattern File: 9.320.04
First VSAPI Pattern Release Date: 14 Aug 2012
VSAPI OPR Pattern Version: 9.321.00
VSAPI OPR Pattern Release Date: 14 Aug 2012

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by TSPY_GAUSS.A

JS_GAUSS.A

Step 3

Restart in Safe Mode

[ Learn more ]

Step 4

Delete this registry value

[ Learn more ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
- TimeStampForUI = {data}
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
- ShutdownIntervalSnapshotUI = {data}
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability
- ShutdownInterval = {data}
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
- Palida Narrow (TrueType) = pldnrfn.ttf

Step 5

Restore this modified registry value

[ Learn more ]

In HKEY_CURRENT_USER\CLSID\{CLSID}\InProcServer32
- From: Default = %System%\wbem\wmihlp32.dll
  To: Default = %System%\wbem\wbemsvc.dll

Step 6

Search and delete these folders

[ Learn more ]

Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.

{removable drive letter}:\.Backup0{character}
{removable drive letter}:\.Backup00{character}

Step 7

Search and delete these files

[ Learn more ]

There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.

%User Temp%\~shw.tmp
%User Temp%\~gdl.tmp
%User Temp%\~mdk.tmp
%User Temp%\md.bak
%Windows%\system\Temp\s61cs3.dat
%Windows%\temp\~ZM6AD3.tmp
%User Temp%\ws1bin.dat
%Windows%\Fonts\pldnrfn.ttf
{removable drive letter}:\thumbs.db

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_GAUSS.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 9

Download and apply this security patch Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.

http://technet.microsoft.com/en-us/security/bulletin/ms11-006

Did this description help? Tell us how we did.

Analysis By: Roland Marco Dela Paz

Product Support

Go To:

Popular Products

More Support

Go to:

Popular Products

Threat Encyclopedia

Overview

Technical Details

Solution