« Win32.Virut.Gen.4
Trojan.Win32.FraudPack.zwr »

W32.Gosys

No Comments
Sumo3000 By Sumo3000 in Worms | 0 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

W32.Gosys Description

W32.Gosys is a worm that distributes itself via network shares and local removal drives. W32.Gosys is able to open a backdoor on a compromised PC, making the system vulnerable to other malware attacks. W32.Gosys may install malware that records keystrokes, executes malicious commands and downloads infected files. If you detect W32.Gosys on your system, it is best to automatically remove it with an anti-spyware application.

Type: Worms

How Can You Detect W32.Gosys?

 
 

Download SpyHunter’s Detection Scanner
to Detect W32.Gosys.

 
 

W32.Gosys has typically the following processes in memory:

  • %UserProfile%\\Application Data\\stsys.exe %System%\\blsys.bln %System%\\cmsys.cmn %System%\\explorer.exe %Windir%\\2clksys1.ptn %Windir%\\2clksys2.ptn %Windir%\\2clksys3.ptn %Windir%\\2clksys4.ptn %Windir%\\2dclsys1.ptn %Windir%\\2entsys1.ptn %Windir%\\2entsys2.ptn %Windir%\\2picsys.cpn %Windir%\\3clksys1.ptn %Windir%\\3clksys2.ptn %Windir%\\3clksys3.ptn %Windir%\\3clksys4.ptn %Windir%\\3dclsys1.ptn %Windir%\\3entsys1.ptn %Windir%\\3entsys2.ptn %Windir%\\3picsys.cpn %Windir%\\blsys.bln %Windir%\\spoolsv.exe %Windir%\\svchost.exe

W32.Gosys creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR”
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”LO” = “0″HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”BL” = “c:\tools\regshot.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “%Windir%\explorer.exe, c:\windows\system32\explorer.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”Svchost” = “c:\windows\svchost.exe RO”
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Svchost\Process\”BL” = “c:\tools\regshot.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”Explorer” = “c:\windows\system32\explorer.exe RO”
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”NF” = “0″

Important Article Disclaimer

ESG Support Center

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Furl
  • StumbleUpon
  • Technorati
  • YahooMyWeb
This entry was posted on 11/18/09 and is filed under Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Top Malware

Recommended Products

Featured Videos

Poll

How much money have you spent trying to rid your PC of spyware?
View Results

Recent Articles

Top FAQs


Archives

Home Sitemap RSS Feed Privacy Policy End User License Agreement Copyright 2003-2010. Enigma Software Group USA, LLC. All Rights Reserved.