Win32/Goblin [Threat Name] go to Threat
Win32/Goblin.C.Gen [Threat Variant Name]
Available cleaner [Download Goblin Cleaner ]
| Category | virus |
| Aliases | Virus.Win32.Xpaj.genb (Kaspersky) |
| W32/Xpaj.c.virus (McAfee) | |
| Virus:Win32/Xpaj.B (Microsoft) | |
| W32.Xpaj.B (Symantec) |
Short description
Win32/Goblin.C.Gen is a polymorphic file infector. The virus tries to download and execute several files from the Internet.
Installation
The virus does not create any copies of itself.
Executable file infection
Win32/Goblin.C.Gen is a polymorphic file infector.
The virus infects the files with program code that is downloaded from the Internet.
The virus searches for executables with one of the following extensions:
- .exe
- .dll
- .scr
- .sys
The virus uses the EPO (Entry Point Obscuring) infection technique.
The infected files contain program code which tries to download other malware.
Spreading on removable media
The virus copies itself into the root folders of removable drives using a random filename.
The following file is dropped in the same folder:
- autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Information stealing
The following information is collected:
- user name
- computer name
- disk serial number (without spaces)
The virus attempts to send gathered information to a remote machine.
Other information
The virus contains a list of (5) URLs.
The virus generates various URL addresses.
It tries to download several files from the addresses.
The files are then executed. The HTTP protocol is used.
The virus checks for Internet connectivity by trying to connect to the following addresses:
- microsoft.com
The virus may create the following files:
- %windir%\%variable%
A string with variable content is used instead of %variable% .