Win32/Gnutler [Threat Name] go to Threat

Win32/Gnutler.AA [Threat Variant Name]

Category trojan
Size 1791 kB
Detection created Sep 05, 2011
Detection database version 6438
Aliases Backdoor.Win32.Gnutler.bcj (Kaspersky)
  Win32:Gnutler-F.[Trj] (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %system%
  • %temp%

The file name consists of some of the following strings:

  • aac
  • acl
  • acp
  • adt
  • adv
  • app
  • atl
  • auth
  • bcd
  • bit
  • boot
  • bth
  • cat
  • cert
  • cfg
  • com
  • comm
  • cred
  • crt
  • crypt
  • csc
  • csr
  • ctl
  • dbg
  • dev
  • diag
  • dot3
  • hal
  • hid
  • ias
  • ie
  • if
  • imapi
  • inet
  • iphlp
  • kbd
  • mapi
  • mmc
  • ms
  • net
  • odbc
  • ole
  • perf
  • prn
  • print
  • ras
  • reg
  • rpc
  • srv
  • sys
  • sync
  • task
  • theme
  • upnp
  • w32
  • win
  • wlan
  • wmi
  • client
  • edit
  • ui
  • page
  • rgwiz
  • wiz
  • queue
  • prxy
  • api
  • pack
  • cache
  • svc
  • stream
  • info
  • mgr
  • dev
  • srv
  • cfg
  • cpl
  • cap
  • prov
  • spl
  • perf
  • dlg
  • dll
  • ext
  • help
  • lib
  • man
  • mon
  • res
  • shl
  • util
  • net
  • prf
  • hook
  • 32
  • 10
  • 20
  • 40

The filename has the following extension:

  • .exe

This copy of the trojan is then executed.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilename%" = "%malwarefilepath% /a"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%malwarefilename%]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%malwarepath% /s /p %variable%"
    • "DisplayName" = "%malwarefilename%"
    • "ObjectName" = "LocalSystem"
  • [HKEY_LOCAL_MACHINE\­Software\­%variable%]
  • [HKEY_CURRENT_USER\­Software\­%variable%]

This causes the trojan to be executed on every system start.


A string with variable content is used instead of %variable% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.


It uses its own P2P network for communication. The trojan contains a list of (3) URLs.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send files to a remote computer

The trojan creates the following folders:

  • %system%\­%variable%\­
  • %system%\­%variable%\­conf\­
  • %system%\­%variable%\­conf\­names\­
  • %system%\­%variable%\­conf\­templates

The trojan may execute the following commands:

  • %system%\­netsh.exe advfirewall firewall delete rule name="%malwarefilename%"
  • %system%\­netsh.exe advfirewall firewall add rule name="%malwarefilename%" dir= in action=allow program="%malwarefilepath%" enable=yes profile=any
  • %system%\­netsh.exe firewall delete allowedprogram "%malwarefilepath%"
  • %system%\­netsh.exe firewall add allowedprogram "%malwarefilepath%" "%malwarefilename%"

The performed command creates an exception in the Windows Firewall.

Please enable Javascript to ensure correct displaying of this content and refresh this page.