W32.Gosys

W32.Gosys is a worm that distributes itself via network shares and local removal drives. W32.Gosys is able to open a backdoor on a compromised PC, making the system vulnerable to other malware attacks. W32.Gosys may install malware that records keystrokes, executes malicious commands and downloads infected files. If you detect W32.Gosys on your system, it is best to automatically remove it with an anti-spyware application.

File System Details

W32.Gosys may create the following file(s):
# File Name Detections
1. %UserProfile%\\Application Data\\stsys.exe %System%\\blsys.bln %System%\\cmsys.cmn %System%\\explorer.exe %Windir%\\2clksys1.ptn %Windir%\\2clksys2.ptn %Windir%\\2clksys3.ptn %Windir%\\2clksys4.ptn %Windir%\\2dclsys1.ptn %Windir%\\2entsys1.ptn %Windir%\\2
2. %UserProfile%\\Application Data\\mrsys.exe %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\4H67CTM7\\3picsys[1].gif %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\GTYN8HUZ\\cmsys[1].gif %UserProfile%\\Local Set

Registry Details

W32.Gosys may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\"StubPath" = "%UserProfile%\Local Settings\Application Data\mrsys.exe MR"
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\"LO" = "0"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\"BL" = "c:\tools\regshot.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "%Windir%\explorer.exe, c:\windows\system32\explorer.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\"StubPath" = "%UserProfile%\Local Settings\Application Data\mrsys.exe MR"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"Svchost" = "c:\windows\svchost.exe RO"
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Svchost\Process\"BL" = "c:\tools\regshot.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"Explorer" = "c:\windows\system32\explorer.exe RO"
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\"NF" = "0"

Trending

Most Viewed

Loading...