Home / malware TrojanSpy:MSIL/Golroted.B
First posted on 13 February 2015.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:MSIL/Golroted.B.
Explanation :
Threat behavior
Installation
The threat drops a copy of itself as appreadiness.exe in the %APPDATA%\microsoft folder. It also drops a component file, defragsvc.exe, in the folder.
The component file, detected as Trojan:MSIL/Golroted, changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Application Readiness"
With data: ", for example "%APPDATA%\microsoft\defragsvc.exe"
Payload
Steals product keys and personal information
The threat runs a command-line password and product key recovery tool (Nirsoft's ProduKey) in the background.
The threat tries to steal information stored on your PC, including:
- Game product keys
- Skype contacts
- Minecraft credentials
- Clipboard
- FTP password
The information generated by the recovery tool is sent to back to the user via email.
The tool also records keystrokes you make when using your PC.
Analysis by Zarestel Ferrer
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%APPDATA%\microsoft\defragsvc.exe
%APPDATA%\microsoft\appreadiness.exe
- You see these entries or keys in your registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Application Readiness", for example "EXAMPLE"
With data: ", for example "%APPDATA%\microsoft\defragsvc.exe"
Last update 13 February 2015