McAfee > Theat Center > Virus Detail Page

Overview

-- Update October 9, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2200596/hacker-spam-poses-old-school

PWS-Goldun is a trojan that arrives in an email claiming to be a tracking order for an iPod that was ordered online . It drops a downloader component which attempts to download further malware.

 

Aliases

• TR/Spy.Goldun.CS.5 (Avira)

• Trj/Goldun.KX (Panda)

• Trojan-Spy.Win32.Goldun.cs (Kaspersky)

• Trojan.Spy.Goldun (ClamAV)

• Trojan.Spy.Goldun.CS (BitDefender)

• TrojanSpy.Goldun.KU (VirusBuster)

• W32/Goldun.CS!tr (Fortinet)

• Win32/Spy.Goldun.NAK (ESET)

Characteristics

-- Update October 9, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2200596/hacker-spam-poses-old-school

-- Update October 9th, 2007 --

A recent spamming uses an email formatted such that it appears to be from a long-lost, female school friend. The mail also requests that the "friend" clicks on the link to see what she looks like now. Clicking on this link, as with other variants will lead to execution of further malware capable of stealing data.

-- Update August 27th, 2006 --

A recent spamming has been reported intended to spread a password stealer which is detected as PWS-Goldun.
This trojan variant was spammed on August 27th, 2006 using the following email format:

From: "IPod For Your" ipod4your@yahoo.com (forged)
Subject: Track your order
Body:

Dear User, Please read the following message carefully. We notify that your order was approved and shipped to you via FedEx 2Day Service, track 792531968828. The amount of $479.95 USD was recieved from your e-gold account. The details of transaction and specification of chosen product we send you in self-extracting compressed-zip file. Read it carefully to make sure that there's no mistakes in characteristics of chosen product. We appreciate your choice! According to the rules, refund must be based on your original method of payment. Any requests to refund using e-gold are not accepted, if the payment method was credit card. IPod For Your, Yahoo Shopping.

Attachment: OrderInfo69.exe

Symptoms

Upon execution, it displays the following image to trick users into thinking that its is a tracking order for an iPod.



In the background, it drops the following file:

%Windir%\%Sysdir%\msvoid.dll --> Detected as PWS-Goldun.dll

"msvoid.dll" is the downloader component and gets registered as a Browser Helper Object (BHO) via the registry keys:

• HKEY_CLASSES_ROOT\CLSID\{CE453468-C4F4-A3DE-7FBD-4569594A7FE9}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
  Browser Helper Objects\{CE453468-C4F4-A3DE-7FBD-4569594A7FE9}

When Internet Explorer is launched, the BHO attempts to contact the following URLs to download further malware.

• http://udachufund.net/[Removed]/javascript/vlsi.jpg
• http://awstats/icon/[Removed]/next.php

 

Method of Infection

This password stealer variant was mass spammed on August 27th, 2006.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update October 9, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2200596/hacker-spam-poses-old-school

PWS-Goldun is a trojan that arrives in an email claiming to be a tracking order for an iPod that was ordered online . It drops a downloader component which attempts to download further malware.

 

Aliases

• TR/Spy.Goldun.CS.5 (Avira)

• Trj/Goldun.KX (Panda)

• Trojan-Spy.Win32.Goldun.cs (Kaspersky)

• Trojan.Spy.Goldun (ClamAV)

• Trojan.Spy.Goldun.CS (BitDefender)

• TrojanSpy.Goldun.KU (VirusBuster)

• W32/Goldun.CS!tr (Fortinet)

• Win32/Spy.Goldun.NAK (ESET)

Characteristics

Characteristics -

-- Update October 9, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2200596/hacker-spam-poses-old-school

-- Update October 9th, 2007 --

A recent spamming uses an email formatted such that it appears to be from a long-lost, female school friend. The mail also requests that the "friend" clicks on the link to see what she looks like now. Clicking on this link, as with other variants will lead to execution of further malware capable of stealing data.

-- Update August 27th, 2006 --

A recent spamming has been reported intended to spread a password stealer which is detected as PWS-Goldun.
This trojan variant was spammed on August 27th, 2006 using the following email format:

From: "IPod For Your" ipod4your@yahoo.com (forged)
Subject: Track your order
Body:

Dear User, Please read the following message carefully. We notify that your order was approved and shipped to you via FedEx 2Day Service, track 792531968828. The amount of $479.95 USD was recieved from your e-gold account. The details of transaction and specification of chosen product we send you in self-extracting compressed-zip file. Read it carefully to make sure that there's no mistakes in characteristics of chosen product. We appreciate your choice! According to the rules, refund must be based on your original method of payment. Any requests to refund using e-gold are not accepted, if the payment method was credit card. IPod For Your, Yahoo Shopping.

Attachment: OrderInfo69.exe

Symptoms

Symptoms -

Upon execution, it displays the following image to trick users into thinking that its is a tracking order for an iPod.



In the background, it drops the following file:

%Windir%\%Sysdir%\msvoid.dll --> Detected as PWS-Goldun.dll

"msvoid.dll" is the downloader component and gets registered as a Browser Helper Object (BHO) via the registry keys:

• HKEY_CLASSES_ROOT\CLSID\{CE453468-C4F4-A3DE-7FBD-4569594A7FE9}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
  Browser Helper Objects\{CE453468-C4F4-A3DE-7FBD-4569594A7FE9}

When Internet Explorer is launched, the BHO attempts to contact the following URLs to download further malware.

• http://udachufund.net/[Removed]/javascript/vlsi.jpg
• http://awstats/icon/[Removed]/next.php

 

Method of Infection

Method of Infection -

This password stealer variant was mass spammed on August 27th, 2006.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A