Trojan.GootKit
Trojan.GootKit will arrived on a computer as a malicious link attached to a spammed email messages. When executed, it will gather sensitive information from an infected computer such as user name and password. Trojan.GootKit can also allow a remote attacker to gain access on the compromised computer and download additional threats.
Alias: Backdoor.Trojan, Downloader, Packed.Cupx!gen5, Trojan Horse, Trojan.Dropper, Trojan.Gen, W32.Ircbrute
Damage Level: Low
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
When Trojan.GootKit is executed, it will drop a malicious DLL file under Windows directory. It also allows automatic start-up by adding an entry on Windows registry.
The Trojan will access a remote server to download a C&C (Command and Control) configuration file to perform additional tasks including the following:
- Communicate with a specified remote computer
- Download and run files from a distant server
- Steal sensitive information like user name, password, computer information and network data
- Embed malicious Java Script code into HTML files
- Start and stop any running processes
- Create, modify and delete any Windows registry subkeys
- List, create and delete computer files
- Send gathered information to a remote attacker using FTP and email transmission
Distribution
Trojan.GootKit propagates by mass sending a spam email messages that contains malicious links pointing to Trojan location. It may also spread by stealing FTP (File Transfer Protocol) accounts and infecting HTML files on the web site.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"GootkitSSO" = "{FE7D5E7C-3EAF-47BC-89EF-CD279EA619DE}"
HKEY_CLASSES_ROOT\CLSID\{0FDB33AF-96F2-4AD6-A737-956138C470C5}\InProcServer32\"(Default)" = "%System%\msxsltsso.dll"
HKEY_CLASSES_ROOT\CLSID\{FE7D5E7C-3EAF-47BC-89EF-CD279EA619DE}\InProcServer32\"(Default)" = "%System%\msxsltsso.dll"
Associated Files and Folders:%System%\msxsltsso.dll
How to Remove Trojan.GootKit
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Trojan.GootKit, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.
5. Go to this link and download Norton Power Eraser.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.
10. Now click on Fix to start removing the threats including Trojan.GootKit remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.