Security News

Goblin File Infector spreading in the wild (May 11, 2012)

By

SonicWALL UTM Research team discovered a new variant of Goblin/Xpaj File Infector Virus spreading though malicious links in the wild. This Virus was found infecting various files on the target computer and contacting a remote command and control server.

We discovered the following on analysis of the Virus:

  • It creates the following copies of itself:
    • %temp%FB.tmp [Detected as GAV: Goblin.G (Virus)]
    • %temp%FC.tmp [Detected as GAV: Goblin.G (Virus)]
    • %temp%FD.tmp [Detected as GAV: Goblin.G (Virus)]

  • It creates the following mutexes:
    • aoki
    • kcade

  • It searches through %programfiles% and %windir% directories in order to identify files for infection

  • It copies files identified for infection to %temp%.tmp, modifies it with malicious code and replaces the original file with the modified version

  • It checks for connectivity to the internet by querying microsoft.com

  • It posts data to a remote server command and control server:

    screenshot

  • It queries the following list of domains generated using a pre-determined algorithm:
    • aqjxite.com
    • bearwy.com
    • bfsxwjndcpj.com
    • bitubkxrybs.com
    • epjfdpstt.com
    • htwxsxd.com
    • iwlgnuz.com
    • kqjzmbgwli.com
    • lnbywuduxby.com
    • nrgrbhm.com
    • tuhxlfbqu.com
    • uoliqbysup.com
    • vlxmzlko.com
    • xnidyek.com
    • ygyame.com
    • zzayzoabsi.com

  • It has functionality to download additional malware

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Goblin.G (Virus)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
IBM DB2 XML Query Buffer Overflow (Sep 19, 2008)
Apple Safari WebKit Counter Vulnerability (Oct 7, 2010)
Sonicwall RTDMI engine discovers malicious MS Office file containing Java RAT in the wild
Rogue AV using Search Engine Optimization (Nov 3, 2009)
GHOST Vulnerability CVE-2015-0235 (Jan 28, 2015)
Microsoft Security Bulletin Coverage (Mar 10, 2015)
Microsoft Windows IE Memory Corruption (Sept 18, 2013)
Spam campaign roundup: The Memorial Day Edition (May 23, 2014)