Win32/Goblin [Threat Name] go to Threat

Win32/Goblin.C.Gen [Threat Variant Name]

Available cleaner [Download Goblin Cleaner ]

Category virus
Aliases Virus.Win32.Xpaj.genb (Kaspersky)
  W32/Xpaj.c.virus (McAfee)
  Virus:Win32/Xpaj.B (Microsoft)
  W32.Xpaj.B (Symantec)
Short description

Win32/Goblin.C.Gen is a polymorphic file infector. The virus tries to download and execute several files from the Internet.


The virus does not create any copies of itself.

Executable file infection

Win32/Goblin.C.Gen is a polymorphic file infector.

The virus infects the files with program code that is downloaded from the Internet.

The virus searches for executables with one of the following extensions:

  • .exe
  • .dll
  • .scr
  • .sys

The virus uses the EPO (Entry Point Obscuring) infection technique.

The infected files contain program code which tries to download other malware.

Spreading on removable media

The virus copies itself into the root folders of removable drives using a random filename.

The following file is dropped in the same folder:

  • autorun.inf

Thus, the virus ensures it is started each time infected media is inserted into the computer.

Information stealing

The following information is collected:

  • user name
  • computer name
  • disk serial number (without spaces)

The virus attempts to send gathered information to a remote machine.

Other information

The virus contains a list of (5) URLs.

The virus generates various URL addresses.

It tries to download several files from the addresses.

The files are then executed. The HTTP protocol is used.

The virus checks for Internet connectivity by trying to connect to the following addresses:


The virus may create the following files:

  • %windir%\­%variable%

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.