Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

The following files are dropped in the %system% folder:

openglssd.sys
openglss.dll

The library is loaded and injected in the following process:

EXPLORER.EXE

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"DllName" = "openglss.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"Startup" = "openglss"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"Impersonate" = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"Asynchronous" = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"MaxWait" = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss\nk48id]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"Type" = "1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"Start" = "1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"ErrorControl" = "0"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"ImagePath" = "\??\%system%\openglssd.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"DisplayName" = "OPENGL technology access"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd\Enum]
"0" = "Root\LEGACY_OPENGLSSD\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd\Enum]
"Count" = "1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd\Enum]
"NextInstance" = "1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\

FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Explorer.EXE" = "%windir%\Explorer.EXE:*:Enabled:explorer"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
"Persistent" = "0"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OPENGLSSD\0000\Control]

 

Information stealing

The trojan collects passwords used to access the following site:

https://www.e-gold.com

The trojan can send the information to a remote machine.

 

Other information

The trojan blocks access to the following sites:

avp.ch
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
downloads1.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
avp.com
avp.ru
awaps.net
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
updates1.kaspersky-labs.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
virustotal.com
updates3.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
engine.awaps.net
f-secure.com
ftp.avp.ch
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kasperskylab.ru
ftp.kaspersky.ru
d-ru-1f.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
rads.mcafee.com
d-eu-2f.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
ftp.sophos.com
ids.kaspersky-labs.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
kaspersky.ru
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
networkassociates.com
phx.corporate-ir.net
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com