McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

PWS-Gogo

This page shows details and results of our analysis on the malware PWS-Gogo

Threat Detail

Malware Type: Trojan

Malware Sub-type: Rootkit

Discovery Date: 2007-02-08

Next Steps:

Overview

This trojan was briefly detected as Generic PWS.j. Along with password stealing capabilities, this trojan has rootkit functionality, wherein it hides registry, processes and files.

In order to hide its registry the trojan creates an inline hook to a non-exported function within ntoskrnl.exe (CMEnumerateKey). It also hooks IRP_MJ_CREATE and IRP_MJ_DIRECTORY_CONTROL of NTFS.SYS to hide its files on disk. In order to hide its device driver from loaded module list, it unloads the driver module from PsLoadedModulesList.


Minimum DAT

4946 (2007-01-22)

Updated DAT

5001 (2007-04-04)

 Minimum Engine

5.1.00

File Length

N/A

 Description Added

2007-02-08

Description Modified

2007-02-08

Malware Proliferation

Characteristics

May contact hxxp://patch2.u88.cn[hidden] to upload stolen information or to download new variants.

Files Added

  • %sysdir%\COMCTL3.SRG
  • %sysdir%\VideoAti0.dll
  • %sysdir%\VideoAti0.exe
  • %windir%\lib
  • %windir%\setup.tmp
  • %windir%\stdie.dll

Registry keys

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VideoAti0\
    Type: 0x00000001
    Start: 0x00000001
    ErrorControl: 0x00000001
    ImagePath: "\SystemRoot\System32\drivers\VideoAti0.sys"
    DisplayName: "VideoAti0"
    Group: "Base"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VideoAti0\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VideoAti0\Security\Security

In order to start in safe mode as well the trojan adds the following keys

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VideoAti0\:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VideoAti0\:

Register itself as BHO by adding the following keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A3803141-3CF5-4D66-B7EA-8D2674FE152C}\InprocServer32\: "C:\WINDOWS\stdie.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{13D90754-C6BC-4C7E-9E9E-399C211136EF}\TypeLib\:"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9FD6C9E2-54F8-48A9-BEF6-964F9C221AE4}\1.0\0\win32\: "C:\WINDOWS\stdie.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Gogo.IEhlprObj\CurVer\: "Gogo.IEhlprObj.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Gogo.IEhlprObj\CLSID\: "{A3803141-3CF5-4D66-B7EA-8D2674FE152C}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Gogo.IEhlprObj\: "IEhlprObj Class"

 

Symptoms

The trojan can create network connections to hxxp://patch2.u88.cn.

Since the trojan is designed for stealth no other obvious symptoms are visible.

It is recommened to scan your system periodically by McAfee Rootkit Detective Beta.

Method of Infection

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. Additionally many of these are mass spammed by the author to entice people into double-clicking on them. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction)

 

Removal

All Users:

Manual Removal Instructions

  1. Reboot your system using the Windows Recovery Console
  2. Select R to start the Recovery Console.
  3. At the recovery console command prompt type DISABLE VideoAti0
  4. Type Exit
  5. Rescan the system with latest DATs upon reboot.

Additional Windows ME/XP removal considerations

Variants

United States - English