Goblin File Infector spreading in the wild

SonicWALL UTM Research team discovered a new variant of Goblin/Xpaj File Infector Virus spreading though malicious links in the wild. This Virus was found infecting various files on the target computer and contacting a remote command and control server.

We discovered the following on analysis of the Virus:

• It creates the following copies of itself:
  
  • %temp%FB.tmp [Detected as GAV: Goblin.G (Virus)]
  • %temp%FC.tmp [Detected as GAV: Goblin.G (Virus)]
  • %temp%FD.tmp [Detected as GAV: Goblin.G (Virus)]
• It creates the following mutexes:
  • aoki
  • kcade
• It searches through %programfiles% and %windir% directories in order to identify files for infection
• It copies files identified for infection to %temp%.tmp, modifies it with malicious code and replaces the original file with the modified version
• It checks for connectivity to the internet by querying microsoft.com
• It posts data to a remote server command and control server:

  

• It queries the following list of domains generated using a pre-determined algorithm:
  • aqjxite.com
  • bearwy.com
  • bfsxwjndcpj.com
  • bitubkxrybs.com
  • epjfdpstt.com
  • htwxsxd.com
  • iwlgnuz.com
  • kqjzmbgwli.com
  • lnbywuduxby.com
  • nrgrbhm.com
  • tuhxlfbqu.com
  • uoliqbysup.com
  • vlxmzlko.com
  • xnidyek.com
  • ygyame.com
  • zzayzoabsi.com
• It has functionality to download additional malware

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

• GAV: Goblin.G (Virus)