SonicWALL Security Center
Share: Linkedin Share Facebook Like


Back to SonicALERT


Goblin File Infector spreading in the wild (May 11, 2012)



Description


SonicWALL UTM Research team discovered a new variant of Goblin/Xpaj File Infector Virus spreading though malicious links in the wild. This Virus was found infecting various files on the target computer and contacting a remote command and control server.

We discovered the following on analysis of the Virus:


  • It creates the following copies of itself:
    • %temp%\FB.tmp [Detected as GAV: Goblin.G (Virus)]
    • %temp%\FC.tmp [Detected as GAV: Goblin.G (Virus)]
    • %temp%\FD.tmp [Detected as GAV: Goblin.G (Virus)]

  • It creates the following mutexes:
    • aoki
    • kcade

  • It searches through %programfiles% and %windir% directories in order to identify files for infection

  • It copies files identified for infection to %temp%\.tmp, modifies it with malicious code and replaces the original file with the modified version

  • It checks for connectivity to the internet by querying microsoft.com

  • It posts data to a remote server command and control server:

    screenshot

  • It queries the following list of domains generated using a pre-determined algorithm:
    • aqjxite.com
    • bearwy.com
    • bfsxwjndcpj.com
    • bitubkxrybs.com
    • epjfdpstt.com
    • htwxsxd.com
    • iwlgnuz.com
    • kqjzmbgwli.com
    • lnbywuduxby.com
    • nrgrbhm.com
    • tuhxlfbqu.com
    • uoliqbysup.com
    • vlxmzlko.com
    • xnidyek.com
    • ygyame.com
    • zzayzoabsi.com

  • It has functionality to download additional malware


SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Goblin.G (Virus)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#DellSecurity
© 2014 Dell | Privacy Policy | Conditions for use | Feedback  Version: 8.2.5  S1MSW05
Live Demo | SonicALERT