W32.Gosys

W32.Gosys Description


W32.Gosys is a malicious Worm that spreads via computer networks. W32.Gosys opens a back door on the compromised computer and may cause additional damage to the system by recording keystrokes, updating itself and downloading files to execute commands. Once installed, W32.Gosys creates files in main Windows OS directories. W32.Gosys also creates/modifies certain registry entries so that it runs whenever Windows starts. Please use an automatic removal tool below to terminate W32.Gosys from the system before damage occurs.
DOWNLOAD NOW

» Learn more about SpyHunter's Spyware Detection Tool
and steps to uninstall SpyHunter.


W32.Gosys Automatic Detection Tool (Recommended)


Is your PC infected with W32.Gosys? To safely & quickly detect W32.Gosys we highly recommend you run the malware scanner listed below.



File System Modifications

  • The following files were created in the system:
    # File Name
    1 %UserProfile%\\Application Data\\mrsys.exe %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\4H67CTM7\\3picsys[1].gif %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\GTYN8HUZ\\cmsys[1].gif %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\W9UNG1MR\\2picsys[1].gif
    2 %UserProfile%\\Application Data\\stsys.exe %System%\\blsys.bln %System%\\cmsys.cmn %System%\\explorer.exe %Windir%\\2clksys1.ptn %Windir%\\2clksys2.ptn %Windir%\\2clksys3.ptn %Windir%\\2clksys4.ptn %Windir%\\2dclsys1.ptn %Windir%\\2entsys1.ptn %Windir%\\2entsys2.ptn %Windir%\\2picsys.cpn %Windir%\\3clksys1.ptn %Windir%\\3clksys2.ptn %Windir%\\3clksys3.ptn %Windir%\\3clksys4.ptn %Windir%\\3dclsys1.ptn %Windir%\\3entsys1.ptn %Windir%\\3entsys2.ptn %Windir%\\3picsys.cpn %Windir%\\blsys.bln %Windir%\\spoolsv.exe %Windir%\\svchost.exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”LO” = “0″HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”BL” = “c:\tools\regshot.exe”HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”NF” = “0″HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Svchost\Process\”BL” = “c:\tools\regshot.exe”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “%Windir%\explorer.exe, c:\windows\system32\explorer.exe”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”Explorer” = “c:\windows\system32\explorer.exe RO”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”Svchost” = “c:\windows\svchost.exe RO”
Posted: November 18, 2009 | By
Share:
Rate this article:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...
Threat Metric
Threat Level: 5/10

Leave a Reply

What is 10 + 10 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)