SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Gbot Trojan (Dec 09, 2010)


SonicWALL UTM Research team received reports of a new Trojan that can be used to relay sensitive information to remote hosts and accept remote commands from an attacker. The Trojan will make periodic GET and POST requests to remote servers for pages and files that do not exist. Some parts of the requests contain system information or is encrypted.

The Trojan performs the following activities upon execution:

  • Drops the following three files on the compromised machine:
    • C:\Documents and Settings\User\Application Data\dwm.exe [ Detected as GAV: Cycbot.AA_6 (Trojan) ]
    • C:\Documents and Settings\User\Application Data\Microsoft\conhost.exe [ Detected as GAV: Cycbot.AA_6 (Trojan) ]
    • C:\Documents and Settings\User\Application Data\E6AE.A4A

  • Creates the following registry entries to ensure regular startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell "explorer.exe,C:\Documents and Settings\User\Application Data\dwm.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost "C:\Documents and Settings\User\Application Data\Microsoft\conhost.exe"

  • Additional registry keys created:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer "http="

  • Samples of periodic web requests made by the Trojan:

    GET request to: freeonline{removed}.net

    GET request to: 136{removed}.com

    GET request to: zon{removed}.com

    GET request to: pcdoc{removed}.com

    POST request to: xibu{removed}.cn
    /pics/23.jpg?type=g_v53&system={IE Browser Ver}|{OS Ver}|{Language}&id=B0CA268F7F02CA4AE6AE&status=err088_2_0&n=0&extra=0

SonicWALL Gateway AntiVirus provides protection against this threat via following signature:

GAV: Cycbot.AA_6 (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.18 | S2MSW02