Other:W32/Googkle

Classification

Category :

Malware

Type :

Other

Aliases :

Googkle, Googkle.com

Summary

A malicious program that does not fall into any other category.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The detection 'Googkle' refers to a malicious site first detected in late April 2005. The site takes advantage of a possible spelling error a user might make when typing the name of the popular search engine - 'Google.com'. The malicious site uses the name 'Googkle.com'; a few related sites are also involved.

Please do not visit these sites.

The appropriate authorities have been notified.Once on the site, the user's system is subjected to drive-by downloads - silent, unauthorized downloads of adware and malicious programs. The user is then prompted to visit a website promoting anti-virus programs and spyware cleaners for download. Unfortunately, the methods used for promotion are malicious.The sites are registered by persons using Russian names. In addition, several malicious files downloaded from these websites have Russian texts.

Drive-by Downloads

When the 'googkle.com' is opened in a browser, it shows 2 popup windows that are linked to the following websites:

  • www.ntsearch.com
  • toolbarpartner.com

The 'ntsearch.com' website downloads and runs the 'pop.chm' file; the 'toolbarpartner.com' website downloads and runs the 'ddfs.chm' file. Both files are downloaded using exploits and they contain exploits themselves to run embedded executable files. One of the webpages of the 'toolbarpartner.com' website also downloads a file named 'pic10.jpg' using an exploit. In addition, these websites launch a stream of webpages with different exploits, which download and run 2 files from the 'daosearch.com' website:

  • web.exe
  • classload.jar

Execution

Once downloaded onto the computer, the malicious files execute.

JAR file

The actual malware functionality is in Installer.class, which downloads file from the same location as the JAR file is being loaded.First, the applet looks for filename to download from Applet parameter ModulePath (is specified in the HTML tag). If the parameter is not specified the applet defaults to msxmidi.dat.After the file is downloaded the applet gets the location of Windows directory with GetWindowsDirectory() and saves the downloaded executable as 'web.exe' and executes it.

CHM files

The 'pop.chm' file drops the 'sp.exe' file (detected as 'Trojan.Win32.Spooner.f') and runs it.The 'ddfs.chm' file drops the 'frame.exe' file (detected as 'Trojan-Downloader.Win32.Small.apf') and runs it. The Small.apf trojan has functionality to automatically reply to security questions asked by Windows to ensure that its process maintains connection to Internet. This downloader downloads and runs the following files from the 'toolbarpartner.com' website:

  • xz.exe - detected as Trojan-Dropper.Win32.Small.vv
  • ggl.exe

The 'xz.exe' file drops a DLL named 'winloadhh.dll'' (detected as 'Trojan-Downloader.Win32.Small.anu') to the root folder of C: drive.The 'pic10.jpg' file dropped from the 'toolbarpartner.com' website (actually an executable that replaces Windows Media Player application) drops an identical component to the same location. The 'web.exe' file is identical to the 'pic10.jpg' file.

Downloads

Trojan-Downloader.Win32.Small.anu connects to 2 different websites to download malware: From the 'sturfajtn.com' website:

  • next3.exe - detected as Backdoor.Win32.Zins.c
  • next1.exe - detected as Trojan-Spy.Win32.Banker.jk
  • next2.exe - detected as Trojan-Proxy.Win32.Small.bh

From the 'toolbarpartner.com' website:

  • svchosts.exe
  • winran.exe
  • toolbar.exe - installs an adware toolbar known as 'Perez'.
  • ggl.exe - detected as Trojan-Dropper.Win32.Small.vn
  • proxyrnd.exe - detected as Backdoor.Win32.Jeemp.c
  • ldr.exe - detected as Trojan-Downloader.Win32.Agent.lv
  • inst.exe - detected as Trojan-Dropper.Win32.Small.wp

The 'winran.exe' file is a trojan dropper that copies itself to Windows System folder with a random name and drops a DLL also with a random name to the same folder. The DLL modifies HOSTS file to block connection to the following websites:

  • downloads1.kaspersky-labs.com
  • downloads2.kaspersky-labs.com
  • downloads3.kaspersky-labs.com
  • downloads4.kaspersky-labs.com
  • download.mcafee.com
  • liveupdate.symantecliveupdate.com
  • liveupdate.symantec.com
  • update.symantec.com

The 'svchosts.exe' file is a trojan dropper that drops a DLL named 'svchosts.dll' into Windows System folder. This DLL places a fake virus alert on a desktop. The alert looks like that (original spelling preserved):

VIRUS ALERT! YOUR PC IS INFECTED! IT HAS BEEN DETECTED THAT YOUR PC HAS AT LEAST 3 DANGEROUS VIRUSES! TO KNOW FOR SURE YOU URGENTLY NEED TO RUN AN ANTIVIRUS TEST ON YOUR PC!
The consequences of spyware and virus presence on your pc might belike:
loosing all the data, data might be stolen, your secrets might beexposed.
PROTECT YOUR PC! REMOVE ALL VIRUSES NOW!

This fake alert is created by placing the HTML file on a desktop, so a user could click on the alert and go to a pre-defined website. The link from this fake alert points to the following website:

  • topantivirus.biz

This website offers links to different websites that offer anti-virus and spyware cleaners for download. The motto of this site is 'Top Antivirus - We help people.'. Unfortunately the way people are directed to that website is somewhat deceptive.