TROJ_GUPBOOT.A
Trojan:Win32/Gupboot.A (Microsoft), Backdoor.Graybird (Symantec),
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan overwrites the Master Boot Record (MBR) with new codes. It also contains a TSPY_URELAS.A. The spyware captures screenshots of Korean games being played on the user's system. This may result in the user's game accounts being compromised.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system. As of this writing, the said sites are inaccessible.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %User Temp%\~DFA{random}.tmp
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
Run = "{Malware path and file name}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
SubKey = "~DFA{random}"
Other System Modifications
This Trojan deletes the following files:
- %System Root%\gdisk.exe
- %System%\gdisk.exe
- %Windows%\gdisk.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)
Dropping Routine
This Trojan drops the following files:
- {malware path}\{random file name 1}.exe - detected as TSPY_URELAS.A
- {malware path}\{random file name 2}.exe - detected as TSPY_URELAS.A
- {malware path}\gbp.ini - contains encrypted remote IP addresses read by TSPY_URELAS.A
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
Download Routine
This Trojan accesses the following websites to download files:
- {BLOCKED}.{BLOCKED}.205.36
- {BLOCKED}.{BLOCKED}.28.139
- {BLOCKED}.{BLOCKED}.28.146
It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
As of this writing, the said sites are inaccessible.
NOTES:
In its resource, this Trojan contains a ZIP archive. The extracted executable file is detected as TSPY_URELAS.A
It overwrites the MBR with new codes and _GBP as the infection marker.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove malware/grayware files dropped/downloaded by TROJ_GUPBOOT.A. (Note: Please skip this step if the threats listed below have already been removed.)