Trojan-Spy:W32/Goldun.RR will install two other malicious programs on the machine before terminating itself; subsequently, the malwares will communicate with a remote site without the user's knowledge or consent.

Unlike most malware, Goldun.RR will make registry changes that allow it to run even in Safe Boot Mode.

During installation, Goldun.RR drops the following files:

•  C:\WINDOWS\system32\cabpck.dll  - detected as Trojan-Spy.Win32.Goldun.axn.
•  C:\WINDOWS\system32\krnlcab.sys   - detected as Trojan-Spy.Win32.Goldun.axr.

The main file create this process and terminate itself:

•  C:\WINDOWS\system32\rundll32.exe cabpck.dll,cabpck

Once installed, Goldun.RR attempts to connect to:

•  social-bos.biz/jerken/data.php?trackid=706[...]

Registry Changes

It creates a launch point using winlogon event:

•  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck
    DllName = cabpck.dll
    Startup = cabpck
    Impersonate = 00000001
    Asynchronous = 00000001
    MaxWait = 00000001
    a950 = [2E09BF121A42171A6]
  

Goldun.RR registers itself as a service:

•  HKLM\System\CurrentControlSet\Services\krnlcab
    Type = 00000001
    Start = 00000001
    ErrorControl = 00000000
    ImagePath = system32\krnlcab.sys
    DisplayName = Cabinet Kernel Packer
•  HKLM\System\CurrentControlSet\Services\krnlcab\Security
    Security = \x01\x00\x14\x80\x90\x00\x00\x00\x9C\x00\x00\[...]

Creates this entry so that it will load during safe boot mode:

•  HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\krnlcab.sys
    (default) = Driver

Adds its connection to the Windows firewall list so as by-pass it:

•  HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    \AuthorizedApplications\List\
    C:\WINDOWS\system32\rundll32.exe =
    C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32