Home / malwarePDF  

TrojanSpy:MSIL/Golroted.B


First posted on 13 February 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:MSIL/Golroted.B.

Explanation :

Threat behavior

Installation


The threat drops a copy of itself as appreadiness.exe in the %APPDATA%\microsoft folder. It also drops a component file, defragsvc.exe, in the folder.

The component file, detected as Trojan:MSIL/Golroted, changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Application Readiness"
With data: ", for example "%APPDATA%\microsoft\defragsvc.exe"

Payload


Steals product keys and personal information

The threat runs a command-line password and product key recovery tool (Nirsoft's ProduKey) in the background.

The threat tries to steal information stored on your PC, including:

  • Game product keys
  • Skype contacts
  • Minecraft credentials
  • Clipboard
  • FTP password


The information generated by the recovery tool is sent to back to the user via email.

The tool also records keystrokes you make when using your PC.



Analysis by Zarestel Ferrer

Symptoms

The following can indicate that you have this threat on your PC:

  • You have these files:

    %APPDATA%\microsoft\defragsvc.exe
    %APPDATA%\microsoft\appreadiness.exe
  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Application Readiness", for example "EXAMPLE"
    With data: ", for example "%APPDATA%\microsoft\defragsvc.exe"




Last update 13 February 2015

 

TOP