Installation
Trojan:Win32/Gupboot.A may be downloaded and installed by other malware.
In the wild, we have observed Trojan:Win32/Gupboot.A downloaded with the following file names:
When run, Trojan:Win32/Gupboot.A drops the following files:
- <system folder>\golfinfo.ini - this file may be used to store information captured by the trojan
- <system folder>\temp1234.dat - this file is a malicious copy of the Windows file "explorer.exe"
- <system folder>\<random>.exe, for example "jesoop.exe" - this file is a component of the trojan that performs the payload; it is also detected as Trojan:Win32/Gupboot.A
- <system folder>\<random>.dll, for example "gyrimoyrz.dll" - this file is a component of the trojan that performs the payload; it is also detected as Trojan:Win32/Gupboot.A
- %TEMP%\_uninsep.bat - this file is used to remove the trojan's original file
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
Trojan:Win32/Gupboot.A overwrites the MBR with Trojan:DOS/Gupboot.A. The overwritten MBR causes your computer to use the malicious copy of "explorer.exe" that is installed by Trojan:Win32/Gupboot.A, in an attempt to hinder detection and removal of the trojan.
Trojan:Win32/Gupboot.A modifies the following registry entries to ensure that it runs at each Windows start:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<malware service name>\Parameters, for example "HKLM\SYSTEM\CurrentControlSet\Services\Kylig\Parameters"
Sets Value: "ServiceDll"
With data: "<system folder>\<random>.dll", for example "C:\Windows\System32\gyrimoyrz.dll"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
Sets value: "<random name>", for example "Otbesykoufi"
With data: "<malware service name>", for example "mupurovym"
Once it has dropped the component files and installed itself, the trojan runs the "_uninsep.bat" file to remove the original malware file from your computer.
Payload
Gathers and uploads information to a remote server
Trojan:Win32/Gupboot.A monitors the following online card-game processes:
- baduki.exe
- DuelPoker.exe
- FNF.exe
- highlow2.exe
- HOOLA3.EXE
- LASPOKER.exe
- poker7.exe
If it finds any of these processes running, it gathers the following information:
- Screenshots of the gaming window
- Your computer's name
- Your operating system version
Trojan:Win32/Gupboot.A sends this information to a remote server. We have observed it attempting to contact the following servers:
- 192.168.0.<removed>
- 113.30.75.<removed>
Related encyclopedia entries
Trojan:DOS/Gupboot.A
Analysis by Marianne Mallen