Video deleted by GoGho Trojan
The GoGho Trojan deletes various multimedia files from infected computers.
A GoGho after creating some files, the trojan modifies the registration database at several points. This makes the Windows Task Manager, Registry Editor, and Command Prompt window inaccessible, among other things. The Trojan also removes the Windows hosts file from infected systems.
The main purpose of GoGho is to delete multimedia files with different extensions. However, the malware only removes these files from drive “E” (if such a drive exists). The Trojan does not spare files with extensions such as mov, avi, wmv, mpg and mpeg.
When the GoGho Trojan starts, it performs the following actions:
- Create the following files:
% WinDir% \ system32 \% Random Name% \% Random Name% .exe
% WinDir% \ system32 \% Random Name% \ GoldenGhost.exe
% WinDir% \ system32 \% Random Name% \ devil.ocx
% WinDir% \ system32 \% Random Name% \ pluto.ocx - Deletes the following file:
% WinDir% \ system32 \ drivers \ etc \ hosts - Modify the following entries in the registration database:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \
Advanced \ hidefileext = 1
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \
Advanced \ supperhidden = 0
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \
Advanced \ hidden = 2
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \
RegisteredOrganization = GoldenGhost.Inc
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \
RegisteredOwner = GoldenGhost - The following entries are added to the registration database:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \
Run “GoldenGhost” = %Path of GoGho trojan%
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies\Explorer “NoFind” = 1
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies\Explorer “NoFolderOptions” = 1
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies\Explorer “NoRun” = 1
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies\System “DisableCMD” = 1
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
policies\System “DisableRegistryTools” = 1
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
policies\System “DisableTaskMgr” = 1
HKEY_CURRENT_USER \ Software \ GoldenGhost.A - Displays the following message in a window containing a text field:
“Oohhh… Aughhhh… yes… babbby…!!” - It deletes files with the following extensions from the “E” drive (if it exists):
* .mov
* .dat
* .wmv
* .3gp
* .avi
* .mpg
* .mpeg
