Home / malware

PDF

VirTool:MSIL/Injector.EW

First posted on 15 July 2015.
Source: Microsoft

Aliases :

There are no other names known for VirTool:MSIL/Injector.EW.

Explanation :

Threat behavior

Installation

This threat can create copies of itself to the following location:

• %APPDATA% \Microsoft\Windows\BthHFSrv.exe

It drops the injected file as NcbService.exe in the following directory:

• %APPDATA% \Microsoft\Windows

This threat can inject code into the following processes:

• AppLaunch.exe
• RegAsm.exe
• RegSvcs.exe
• svchost.exe
• vbc.exe

Payload

This malware can download and execute a remote file if a URL is specified in its configuration.

Additional information

Stops running if the following conditions are found:

• The process name sandboxierpcss.exe is found
• The following video controller name descriptions are available in the system:
• virtualbox graphics adapter
• vm additions s3 trio32/64
• vmware svga ii

Symptoms

The following can indicate that you have this threat on your PC:

• You see the following files:
• %APPDATA% \Microsoft\Windows\BthHFSrv.exe
• %APPDATA% \Microsoft\WindowsNcbService.exe

Last update 15 July 2015

 

TOP