This page shows details and results of our analysis on the malware GoGho


This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Minimum Engine


File Length

Description Added


Description Modified


Malware Proliferation


The GoGho trojan copies itself to the following locations :

    * %WinDir%\system32\%Random Name%\%Random Name%.exe
    * %WinDir%\system32\%Random Name%\GoldenGhost.exe

It creates the following files :

    * %WinDir%\system32\%Random Name%\devil.ocx
    * %WinDir%\system32\%Random Name%\pluto.ocx

It deletes the following file :

    * %WinDir%\system32\drivers\etc\hosts

Upon exection, the following registry elements are changed :


    * hidefileext = 1
    * supperhidden = 0
    * hidden = 2


    * RegisteredOrganization = GoldenGhost.Inc
    * RegisteredOwner = GoldenGhost

The following registry keys are created :

    * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "GoldenGhost" = %Path of GoGho trojan%
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableCMD" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System "DisableRegistryTools" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System "DisableTaskMgr" = 1
    * HKEY_CURRENT_USER\Software\GoldenGhost.A

When the trojan is running, any attempt to paste into a text window will produce the following text :
    * Oohhh... Aughhhh... yes... babbby...!!

The trojan attempts to connect to the following server when exectuted (at time of writting the vil the server was unavailable)

The GoGho trojan attempts to delete any files with the following extensions which are located on the E: drive

The trojan uses the Windows Media player icon.


The appearance of the above files, registry entries and the appearance of the following text when attempting to paste "Oohhh... Aughhhh... yes... babbby...!!"

Method of Infection

Manual execution of the binary


All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations