Home / malwarePDF  

TrojanSpy:MSIL/Golroted.C


First posted on 26 March 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:MSIL/Golroted.C.

Explanation :

Threat behavior

Installation
We have seen this threat use the following names:

  • FAX_001.exe
  • hmmm.exe
This threat can create files on your PC, including:
  • %APPDATA%\pcprotect.exe
  • %APPDATA% \windowsupdate.exe


When the file is run, it drops a PDF file in the %TEMP% folder and then opens it, to make it look like the file was a legitimate PDF file.

Payload


Steals product keys and personal information

The threat runs a command-line password and product key recovery tool in the background. We have seen it use the following tools:

  • HackTool:Win32/Mailpassview
  • HackTool:Win32/IEPassview


The threat tries to steal information stored on your PC, including:

  • Game product keys
  • Skype contacts
  • Minecraft credentials
  • Clipboard contents
  • FTP passwords


Verifies internet connection

It connects to the following domain to check if your PC is connected to the Internet:
  • www.download.windowsupdate.com using port 80


It connects to the following domain to determine the external IP address and the location of your PC:

  • whatismyipaddress.com


Connects to a remote host

We have seen this threat connect to a remote host, including:
  • 19.264/anel/log.php
Malware can connect to a remote host to do any of the following:
  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC's location
  • Upload information taken from your PC
  • Disable task manager
  • Disable cmd
  • Delete itself
  • Steal bitcoin


Drops other malware

We have also seen this threat drop Worm:Win32/Autorun!inf.





Analysis by Jayronn Christian Bucu

Symptoms

The following can indicate that you have this threat on your PC:

  • You see a file similar to:
    • %APPDATA%\pcprotect.exe
    • %APPDATA% \windowsupdate.exe

Last update 26 March 2015

 

TOP

Malware :

Family: