Home / malwarePDF  

TrojanDropper:MSIL/Golbla.B


First posted on 15 July 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanDropper:MSIL/Golbla.B.

Explanation :

Threat behavior

Installation
This threat can create files on your PC, including:

  • %APPDATA% \roaming\systeme.exe


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: ".exe"
With data: "" The malware uses code injection to make it harder to detect and remove. It can inject code into running processes. This threat injects to another process that we detect as VirTool:MSIL/Injector.EW. VirTool:MSIL/Injector.EW is dropped and run in the following directory:
  • %APPDATA% \Microsoft\Windows\BthHFSrv.exe


It drops the injected file as NcbService.exe in the following directory:

  • %APPDATA% \Microsoft\Windows
We have also observed this threat drop the following malware in infected PCs:
  • HackTool:Win32/BrowserPassview
  • HackTool:Win32/Mailpassview
  • Trojan:MSIL/Mubuie.A
  • TrojanSpy:MSIL/Golroted
  • TrojanSpy:Win32/Plimrost


Payload

This threat modifies the following system settings to hide file extensions when viewed in Windows Explorer:

In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "0x00000001"

It also modifies the internet access configuration to bypass the proxy server by modifying the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Sets value: "ProxyBypass"
With data: "0x00000001"

Additional information


We have observed this threat drop the following malware:

  • HackTool:Win32/BrowserPassview
  • HackTool:Win32/Mailpassview
  • Trojan:MSIL/Mubuie
  • TrojanSpy:MSIL/Golroted
  • TrojanSpy:Win32/Plimrost
  • VirTool:MSIL/Injector.EW
Symptoms

The following can indicate that you have this threat on your PC:

  • You see a file similar to:
    • %APPDATA%\roaming\systeme.exe
    • %APPDATA%\Microsoft\Windows\BthHFSrv.exe
    • %APPDATA%\Microsoft\Windows\NcbService.exe
  • You see registry modifications such as:
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: ".exe"
      With data: ""

Last update 15 July 2015

 

TOP

Malware :

Family: