Threat Description

Other:​W32/Googkle

Details

Aliases: Googkle, Googkle.com
Category: Malware
Type: Other
Platform: W32

Summary



A malicious program that does not fall into any other category.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The detection 'Googkle' refers to a malicious site first detected in late April 2005. The site takes advantage of a possible spelling error a user might make when typing the name of the popular search engine - 'Google.com'. The malicious site uses the name 'Googkle.com'; a few related sites are also involved.

Please do not visit these sites.

The appropriate authorities have been notified.Once on the site, the user's system is subjected to drive-by downloads - silent, unauthorized downloads of adware and malicious programs. The user is then prompted to visit a website promoting anti-virus programs and spyware cleaners for download. Unfortunately, the methods used for promotion are malicious.The sites are registered by persons using Russian names. In addition, several malicious files downloaded from these websites have Russian texts.

Drive-by Downloads

When the 'googkle.com' is opened in a browser, it shows 2 popup windows that are linked to the following websites:

  • www.ntsearch.com
  • toolbarpartner.com

The 'ntsearch.com' website downloads and runs the 'pop.chm' file; the 'toolbarpartner.com' website downloads and runs the 'ddfs.chm' file. Both files are downloaded using exploits and they contain exploits themselves to run embedded executable files. One of the webpages of the 'toolbarpartner.com' website also downloads a file named 'pic10.jpg' using an exploit. In addition, these websites launch a stream of webpages with different exploits, which download and run 2 files from the 'daosearch.com' website:

  • web.exe
  • classload.jar

Execution

Once downloaded onto the computer, the malicious files execute.

JAR file

The actual malware functionality is in Installer.class, which downloads file from the same location as the JAR file is being loaded.First, the applet looks for filename to download from Applet parameter ModulePath (is specified in the HTML tag). If the parameter is not specified the applet defaults to msxmidi.dat.After the file is downloaded the applet gets the location of Windows directory with GetWindowsDirectory() and saves the downloaded executable as 'web.exe' and executes it.

CHM files

The 'pop.chm' file drops the 'sp.exe' file (detected as 'Trojan.Win32.Spooner.f') and runs it.The 'ddfs.chm' file drops the 'frame.exe' file (detected as 'Trojan-Downloader.Win32.Small.apf') and runs it. The Small.apf trojan has functionality to automatically reply to security questions asked by Windows to ensure that its process maintains connection to Internet. This downloader downloads and runs the following files from the 'toolbarpartner.com' website:

  • xz.exe - detected as Trojan-Dropper.Win32.Small.vv
  • ggl.exe

The 'xz.exe' file drops a DLL named 'winloadhh.dll'' (detected as 'Trojan-Downloader.Win32.Small.anu') to the root folder of C: drive.The 'pic10.jpg' file dropped from the 'toolbarpartner.com' website (actually an executable that replaces Windows Media Player application) drops an identical component to the same location. The 'web.exe' file is identical to the 'pic10.jpg' file.

Downloads

Trojan-Downloader.Win32.Small.anu connects to 2 different websites to download malware: From the 'sturfajtn.com' website:

  • next3.exe - detected as Backdoor.Win32.Zins.c
  • next1.exe - detected as Trojan-Spy.Win32.Banker.jk
  • next2.exe - detected as Trojan-Proxy.Win32.Small.bh

From the 'toolbarpartner.com' website:

  • svchosts.exe
  • winran.exe
  • toolbar.exe - installs an adware toolbar known as 'Perez'.
  • ggl.exe - detected as Trojan-Dropper.Win32.Small.vn
  • proxyrnd.exe - detected as Backdoor.Win32.Jeemp.c
  • ldr.exe - detected as Trojan-Downloader.Win32.Agent.lv
  • inst.exe - detected as Trojan-Dropper.Win32.Small.wp

The 'winran.exe' file is a trojan dropper that copies itself to Windows System folder with a random name and drops a DLL also with a random name to the same folder. The DLL modifies HOSTS file to block connection to the following websites:

  • downloads1.kaspersky-labs.com
  • downloads2.kaspersky-labs.com
  • downloads3.kaspersky-labs.com
  • downloads4.kaspersky-labs.com
  • download.mcafee.com
  • liveupdate.symantecliveupdate.com
  • liveupdate.symantec.com
  • update.symantec.com

The 'svchosts.exe' file is a trojan dropper that drops a DLL named 'svchosts.dll' into Windows System folder. This DLL places a fake virus alert on a desktop. The alert looks like that (original spelling preserved):

VIRUS ALERT! YOUR PC IS INFECTED!
IT HAS BEEN DETECTED THAT YOUR PC HAS AT LEAST 3 DANGEROUS VIRUSES!
TO KNOW FOR SURE YOU URGENTLY NEED TO RUN AN ANTIVIRUS TEST ON YOUR PC! 
The consequences of spyware and virus presence on your pc might belike: 
loosing all the data, data might be stolen, your secrets might beexposed. 
PROTECT YOUR PC! REMOVE ALL VIRUSES NOW!

This fake alert is created by placing the HTML file on a desktop, so a user could click on the alert and go to a pre-defined website. The link from this fake alert points to the following website:

  • topantivirus.biz

This website offers links to different websites that offer anti-virus and spyware cleaners for download. The motto of this site is 'Top Antivirus - We help people.'. Unfortunately the way people are directed to that website is somewhat deceptive.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More