GoGho

This page shows details and results of our analysis on the malware GoGho

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum DAT

5374 (2008-09-01)

Updated DAT

5374 (2008-09-01)

Minimum Engine

5.1.00

File Length

Description Added

2008-08-29

Description Modified

2008-09-01

Malware Proliferation

Characteristics

The GoGho trojan copies itself to the following locations :

    * %WinDir%\system32\%Random Name%\%Random Name%.exe
    * %WinDir%\system32\%Random Name%\GoldenGhost.exe

It creates the following files :

    * %WinDir%\system32\%Random Name%\devil.ocx
    * %WinDir%\system32\%Random Name%\pluto.ocx

It deletes the following file :

    * %WinDir%\system32\drivers\etc\hosts

Upon exection, the following registry elements are changed :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

    * hidefileext = 1
    * supperhidden = 0
    * hidden = 2

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion

    * RegisteredOrganization = GoldenGhost.Inc
    * RegisteredOwner = GoldenGhost


The following registry keys are created :

    * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "GoldenGhost" = %Path of GoGho trojan%
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableCMD" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System "DisableRegistryTools" = 1
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System "DisableTaskMgr" = 1
    * HKEY_CURRENT_USER\Software\GoldenGhost.A

When the trojan is running, any attempt to paste into a text window will produce the following text :
    * Oohhh... Aughhhh... yes... babbby...!!

The trojan attempts to connect to the following server when exectuted (at time of writting the vil the server was unavailable)
    * punch.va.us.***.***

The GoGho trojan attempts to delete any files with the following extensions which are located on the E: drive
*.mov
*.dat
*.wmv
*.3gp
*.avi
*.mpg
*.mpeg

The trojan uses the Windows Media player icon.

Symptoms

The appearance of the above files, registry entries and the appearance of the following text when attempting to paste "Oohhh... Aughhhh... yes... babbby...!!"

Method of Infection

Manual execution of the binary

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants