Home / malware

PDF

VirTool:MSIL/Injector.EW

First posted on 23 December 2019.
Source: Microsoft

Aliases :

There are no other names known for VirTool:MSIL/Injector.EW.

Explanation :

Installation

This threat can create copies of itself to the following location:

%APPDATA% MicrosoftWindowsBthHFSrv.exe

It drops the injected file as NcbService.exe in the following directory:

%APPDATA% MicrosoftWindows

This threat can inject code into the following processes:

AppLaunch.exe RegAsm.exe RegSvcs.exe svchost.exe vbc.exe Payload

This malware can download and execute a remote file if a URL is specified in its configuration.

Additional information

Stops running if the following conditions are found:

The process name sandboxierpcss.exe is found The following video controller name descriptions are available in the system: virtualbox graphics adapter vm additions s3 trio32/64 vmware svga ii

Analysis by Zarestel Ferrer

Last update 23 December 2019

 

TOP