dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
18
share rss forum feed


owlyn
Premium,MVM
join:2004-06-05
Newtown, PA
Reviews:
·Comcast
reply to FF4m3

Re: Can YOU Crack The Gauss Uber-Virus Encryption?

From Norton:

Discovered:
August 9, 2012
Updated:
August 15, 2012 2:40:23 AM
Also Known As:
TSPY_GAUSS.A [Trend]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Gauss is a worm that opens a back door and collects confidential information from the compromised computer.

Antivirus Protection Dates

Initial Rapid Release version August 9, 2012 revision 016
Latest Rapid Release version August 9, 2012 revision 039
Initial Daily Certified version August 9, 2012 revision 018
Latest Daily Certified version August 10, 2012 revision 001
Initial Weekly Certified release date August 15, 2012

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Damage

Damage Level: Medium
Payload: Opens a back door.
Releases Confidential Info: Steals system information, browser history, passwords, and cookies.

Distribution

Distribution Level: Low
Shared Drives: Spreads through removable drives.

Discovered:
August 9, 2012
Updated:
August 15, 2012 2:40:23 AM
Also Known As:
TSPY_GAUSS.A [Trend]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When the worm is executed, it creates the following files:

%System%\wbem\wmihlp32.dll
%System%\wbem\wmiqry32.dll
%System%\dskapi.ocx
%System%\winshell.ocx
%System%\devwiz.ocx
%System%\lanhlp32.ocx
%System%\mcdmn.ocx
%System%\smdk.ocx
%System%\windig.ocx
%UserProfile%\Local Settings\Temp\~shw.tmp
%UserProfile%\Local Settings\Temp\~gdl.tmp
%UserProfile%\Local Settings\Temp\~mdk.tmp
%Temp%\s61cs3.dat
%Temp%\~ZM6AD3.tmp
%System%\fonts\pldnrfn.ttf
%Temp%\ws1bin.dat

The worm creates the following registry entries:

HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\"(Default)" = "wbemsvc.dll"
HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\"(Default)" = "wmihlp32.dll"

The worm is modular and has the following functionalities and components:

Loads other components and contains connection functionality (%System%\wbem\wmiqry32.ocx, %system32%\wbem\wmihlp32.ocx)
Collects hardware information about the CMOS and the BIOS (%System%\devwiz.ocx)
Spreads through removable drives and collects removable drive information (%System%\dskapi.ocx, contains 32 and 64-bit components)
Collects network related information (%System%\lanhlp32.ocx)
Collects information about the user domain (%System%\mcdmn.ocx)
Collects information on computer drives (%System%\smdk.ocx)
Installs a custom Palida Narrow font (%System%\windig.ocx)
Collects browser and cookie information from Firefox and Internet Explorer (%System%\winshell.ocx)

The worm steals the following from Internet Explorer:

Browsing history
Passwords
Text in data fields from loaded pages

The worm installs its own Firefox plugin that performs the following actions:

Extracts browsing history
Extracts passwords
Extracts cookies

The worm (%System%\winshell.ocx) searches for cookies from the following list:

maktoob
ebay
hotmail
gmail
facebook
amazon
creditlibanais
yahoo
fransabank
citibank
byblosbank
blombank
eblf
bankofbeirut
americanexpress
aisa
eurocard
mastercard
paypal

Note: Collected cookies are encrypted and saved to:
%Temp%\ws1bin.dat

The worm is associated with the following command-and-control servers:

gowin7.com
secuurity.net
datajunction.org
bestcomputeradvisor.com
dotnetadvisor.info
guest-access.net



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Hi Owlyn,

That stuff from Norton is OK..but if anyone wants to know everything about Gauss..this link is the best..

»www.securelist.com/en/analysis/2···ibution/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/