Goblin File Infector spreading in the wild

May 11, 2012

SonicWALL UTM Research team discovered a new variant of Goblin/Xpaj File Infector Virus spreading though malicious links in the wild. This Virus was found infecting various files on the target computer and contacting a remote command and control server.

We discovered the following on analysis of the Virus:

  • It creates the following copies of itself:
    • %temp%FB.tmp [Detected as GAV: Goblin.G (Virus)]
    • %temp%FC.tmp [Detected as GAV: Goblin.G (Virus)]
    • %temp%FD.tmp [Detected as GAV: Goblin.G (Virus)]
  • It creates the following mutexes:
    • aoki
    • kcade
  • It searches through %programfiles% and %windir% directories in order to identify files for infection
  • It copies files identified for infection to %temp%.tmp, modifies it with malicious code and replaces the original file with the modified version
  • It checks for connectivity to the internet by querying microsoft.com
  • It posts data to a remote server command and control server:


  • It queries the following list of domains generated using a pre-determined algorithm:
    • aqjxite.com
    • bearwy.com
    • bfsxwjndcpj.com
    • bitubkxrybs.com
    • epjfdpstt.com
    • htwxsxd.com
    • iwlgnuz.com
    • kqjzmbgwli.com
    • lnbywuduxby.com
    • nrgrbhm.com
    • tuhxlfbqu.com
    • uoliqbysup.com
    • vlxmzlko.com
    • xnidyek.com
    • ygyame.com
    • zzayzoabsi.com
  • It has functionality to download additional malware

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Goblin.G (Virus)