By LoneStar in Malware

Gog.exe is a file associated with the rogue anti-virus application CleanThis. CleanThis is part of a scam, intended to scare users into paying money for a useless program, and Gog.exe is what sets up this fake anti-virus software on a PC. Therefore, the presence of Gog.exe is never a good sign.

Gog.exe as a Trojan Dropper

Gog.exe is itself malware; in particular, Gog.exe is what is referred to as a Trojan dropper. Gog.exe is classified as a Trojan because the way that Gog.exe infects a computer is by hiding in something else. In particular, Gog.exe may be hidden in a phony video codec, concealed in a spam email attachment, or bundled with a file that you download from a disreputable or infected source. Gog.exe may also take advantage of drive-by downloads, which cause the Trojan to download automatically just because you have visited a site or clicked on a link. In any case, Gog.exe finds a way into the system by tricking you into downloading Gog.exe, one way or another.

Once the Gog.exe Trojan has downloaded to your computer, Gog.exe "drops" (i.e., installs) the files necessary in order to run the fake security software CleanThis. Gog.exe makes changes to the registry that will become effective the next time Windows starts. After that, Gog.exe acts as a sort of go-between, between Windows and the actual instructions that the malware gives the operating system.

How Gog.exe Manipulates Windows

The way that Gog.exe takes control over an infected PC is designed to exploit several features of Windows. Specifically, Gog.exe exploits batch (.bat) files and the Task Scheduler, as well as some features of the registry, including Winlogon. You can see the evidence in the other files dropped by the Trojan, which include a randomly-named .bat file, and a corresponding randomly-named .job file. That batch file is more malicious than it might look, because the real heart of the malware infection is that file. How can that be? It mostly has to do with the way that batch files work.

Batch files are essentially a bunch of executable commands that are all summed up in one text-based file, which is read by a command interpreter that executes the commands in order. Batch files are intended to save time or effort, especially for repetitive tasks. However, when it comes to malware, batch files are often used in order to hide the malware's activities. This is the case with Gog.exe. Everything Gog.exe does refers to its randomly-named batch file, which is where CleanThis really "lives," so to speak.

Gog.exe exploits the Winlogon Auto-run registry key by using the dropped batch file. Winlogon is the first thing that Windows checks and runs when it starts, since Winlogon manages user access, privileges, and settings for the computer. Gog.exe changes Winlogon so that Gog.exe is defined as the user "shell" – the particular set of permissions, access, etc. for the user. This means that by referencing or executing the other dropped files, Gog.exe can tell Windows what you are allowed or not allowed to do. Furthermore, because Gog.exe inserts a reference to itself at Winlogon in the registry, Gog.exe ensures that CleanThis will load disregarding when Windows is in Safe Mode.

Gog.exe also takes advantage of the Task Scheduler capabilities built into Windows by installing a .job file into Windows's scheduled tasks. The purpose of tasks in Windows is to have Windows do certain things automatically when certain conditions are met, and each task has its own set of conditions. So, by taking advantage of Task Scheduler, the files dropped by Gog.exe can tell Windows to do specific things, in order to create the appearance that CleanThis is real software that has found threats on your computer. This makes it easy for the malware to prevent you from running other programs, or to generate alerts on a given schedule, among many other things.

CleanThis is not the first piece of malware to use a file called "Gog.exe," and for at least two or three years there have been various other malware threats that use the name. However, given that the Gog.exe responsible for CleanThis behaves differently from these other threats called Gog.exe, it is unclear whether or not they are related at all.


Most Viewed