Remove W32.Gosys
Posted on: November 15th, 2009
| Discovered: | November 11, 2009 |
| Updated: |
November 11, 2009 2:47:39 PM |
| Type: |
Worm |
| Systems Affected: |
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 |
| Recommended Action: | |
 In order to Remove W32.Gosys you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of W32.Gosys.. Read our full No Adware Review |
|
| Technical Details: |
| When the worm executes, it creates the following files:
* %UserProfile%\Application Data\mrsys.exe * %UserProfile%\Local Settings\Temporary Internet Files\Content. IE5\4H67CTM7\3picsys[1].gif * %UserProfile%\Local Settings\Temporary Internet Files\Content. IE5\GTYN8HUZ\cmsys[1].gif * %UserProfile%\Local Settings\Temporary Internet Files\Content. IE5\W9UNG1MR\2picsys[1].gif * %UserProfile%\Application Data\stsys.exe * %System%\blsys.bln * %System%\cmsys.cmn * %System%\explorer.exe * %Windir%\2clksys1.ptn * %Windir%\2clksys2.ptn * %Windir%\2clksys3.ptn * %Windir%\2clksys4.ptn * %Windir%\2dclsys1.ptn * %Windir%\2entsys1.ptn * %Windir%\2entsys2.ptn * %Windir%\2picsys.cpn * %Windir%\3clksys1.ptn * %Windir%\3clksys2.ptn * %Windir%\3clksys3.ptn * %Windir%\3clksys4.ptn * %Windir%\3dclsys1.ptn * %Windir%\3entsys1.ptn * %Windir%\3entsys2.ptn * %Windir%\3picsys.cpn * %Windir%\blsys.bln * %Windir%\spoolsv.exe * %Windir%\svchost.exe Next, the worm creates the following registry entries so that it executes whenever Windows starts: * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup \Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00 B4E999}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR” * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\ Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B 4E666}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR” * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunOnce\”Explorer” = “c:\windows\system32\explorer .exe RO” * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunOnce\”Svchost” = “c:\windows\svchost.exe RO” It also creates the following registry entries: * HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ Explorer\Process\”LO” = “0″ * HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ Explorer\Process\”BL” = “c:\tools\regshot.exe” * HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ Explorer\Process\”NF” = “0″ * HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ Svchost\Process\”BL” = “c:\tools\regshot.exe The worm may also modify the following registry entries: * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ USBSTOR\”Start” = “3″ * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ USBSTOR\”Type” = “1″ * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ StorageDevicePolicies\”WriteProtect” = “0″ The worm modifies the following registry entry so that it executes whenever Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon\”Shell” = “%Windir%\explorer.exe, c:\windows \system32\explorer.exe” It also modifies the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced\”ShowSuperHidden” = “0″ Next, the worm downloads an encrypted configuration file from one of the following locations: * [http://]cmdexp01.googlecode.com/files/cmsy[REMOVED] * [http://]expcmd01.googlecode.com/files/cmsy[REMOVED] * [http://]expcmd02.googlecode.com/files/cmsy[REMOVED] * [http://]expcmd03.googlecode.com/files/cmsy[REMOVED] * [http://]expcmd01.netai.net/cmsy[REMOVED] * [http://]expcmd01.byethost15.com/cmsy[REMOVED] * [http://]expcmd01.50webs.com/cmsy[REMOVED] * [http://]expcmd01.07x.net/cmsy[REMOVED] * [http://]expcmd01.zxq.net/cmsy[REMOVED] * [http://]expcmd01.atspace.com/cmsy[REMOVED] * [http://]expcmd01.ezeserv.com/cmsy[REMOVED] It also downloads further configuration files from the following locations: * [http://]cmdexp01.googlecode.com/files/2pics[REMOVED] * [http://]cmdexp01.googlecode.com/files/3pics[REMOVED] Next, it deletes all files in the following folder: %Windir%\Tasks It then creates a scheduled task to run the following file every day at the current time plus two minutes: %Windir%\svchost.exe The worm then starts the task scheduler. Next, the worm opens a back door, which may allow a remote attacker to perform the following actions on the compromised computer: * Record keystrokes * Update itself * Send an email (Using Microsoft’s CDO Messaging API) * Download files * Execute commands The worm monitors Internet Explorer and Mozilla Firefox windows for the following strings, which correspond to email login pages: * Yahoo! Mail: The best web-based email! * Gmail: Email from Google It then steals information from the compromised computer, which may then be sent to one of the following email addresses: * expemail@gmail.com * expeml01@gmail.com * expeml02@gmail.com * expeml01@hotmail.com The worm then spreads by copying itself across all network shares on the compromised computer. It also attempts to spread by copying itself to all removable drives. |
| Action Steps: |
| FREE SCAN: NoAdware can Remove W32.Gosys. Click the link below for your free download & scan your PC now.
Please click here for manual removal instructions. |
