Content

W32/GrupBot

Type
Trojan
SubType
Win32
Discovery Date
09/14/2009
Length
29,184 bytes
Minimum DAT
5742 (09/15/2009)
Updated DAT
5742 (09/15/2009)
Minimum Engine
5.3.00
Description Added
09/14/2009
Description Modified
09/14/2009 5:09 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Update September 14, 2009 --
The risk assessment of this threat was updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2009/09/14/google_groups_control_trojan/ 

---

W32/GrupBot is a backdoor Trojan that allows for commands to be executed via a command and control center that uses Google Groups newsgroups. Commands are received from this location, and may allow for further malware to be installed.

The Trojan exists as a dynamic link library (dll) that may have a name similar to:

  • mslogin.dll

A first time check is performed using rundll32.exe. It will then attempt to login at www.google.com/accounts/Login.

Once logged in, a connection is made to the "escape2sun" newsgroup to recieve command instructions.

The following registry keys are added:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

 The following file is added  for logging:

  • %Directory%\tmw.dat

Symptoms

  • Presence of the aforementioned files and registry settings
  • Presence of unexpected network connections

 

Method of Infection

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -


--- Update September 14, 2009 --
The risk assessment of this threat was updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2009/09/14/google_groups_control_trojan/ 

---

W32/GrupBot is a backdoor Trojan which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam or install further malware.



 




Aliases




  • Trojan.Grups (Symantec)

Characteristics

Characteristics -

--- Update September 14, 2009 --
The risk assessment of this threat was updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2009/09/14/google_groups_control_trojan/ 

---

W32/GrupBot is a backdoor Trojan that allows for commands to be executed via a command and control center that uses Google Groups newsgroups. Commands are received from this location, and may allow for further malware to be installed.

The Trojan exists as a dynamic link library (dll) that may have a name similar to:

  • mslogin.dll

A first time check is performed using rundll32.exe. It will then attempt to login at www.google.com/accounts/Login.

Once logged in, a connection is made to the "escape2sun" newsgroup to recieve command instructions.

The following registry keys are added:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

 The following file is added  for logging:

  • %Directory%\tmw.dat

Symptoms

Symptoms -

  • Presence of the aforementioned files and registry settings
  • Presence of unexpected network connections

 

Method of Infection

Method of Infection -

Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A