Categories: Malware

MSIL/Injector.GCF information

The MSIL/Injector.GCF is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What MSIL/Injector.GCF virus can do?

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction – unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
Guard pages use detected – possible anti-debugging.
Dynamic (imported) function loading detected
Reads data out of its own binary image
CAPE extracted potentially suspicious content
The binary likely contains encrypted or compressed data.
.NET file is packed/obfuscated with SmartAssembly
Authenticode signature is invalid
Attempts to remove evidence of file being downloaded from the Internet
Behavioural detection: Injection (Process Hollowing)
Executed a process and injected code into it, probably while unpacking
Behavioural detection: Injection (inter-process)
Created a process from a suspicious location
Installs itself for autorun at Windows startup
Detects Bochs through the presence of a registry key
Attempted to write directly to a physical drive
Creates a copy of itself
Collects information to fingerprint the system

How to determine MSIL/Injector.GCF?


File Info:
name: 7533ECC76FDDE7206FF3.mlwpath: /opt/CAPEv2/storage/binaries/acd08d273ddd5158f34980155c92da3fc764819197994d4e55e122a307105abccrc32: 752469BDmd5: 7533ecc76fdde7206ff34da1f8ec8175sha1: d828b4ac892a4021dd9406c41a9af3bd106e1771sha256: acd08d273ddd5158f34980155c92da3fc764819197994d4e55e122a307105abcsha512: 6bcb82667bf3bd9631a92360279a01a1bd4920d7bdf1ca848dc139b95ab301209b1880eadd88bb1e22c86b9815d1423a3c8b61849c460cceac1378ed0e210632ssdeep: 3072:8DTmWHxaEPuNr95QOUC+fKiYTg952BhlLgY32CV+GoPPJJA1zLvqbTeftZlYtmV/:8n1UL5/UC+fKiYg52Bc0ItHe1ZlYVtype: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T12D04F00D36806750C2050B778C4A56FEA97CDFC61887BE2B7290BF590CF6F8AD85A125sha3_384: a085afde4b57a8bf1475dd3253e1dbdd5cd178ef16562b239935a933c711e10b8e790b3b57889c58e94f107c002cf38fep_bytes: ff250020400000000000000000000000timestamp: 2014-11-05 15:04:43
Version Info:
Translation: 0x0000 0x04b0Comments: TFhWkGFileDescription: TFhWkGFileVersion: 5.9.3.40703InternalName: 2252.exeLegalCopyright: ©2014 Th1BZu All Rights Reserved.OriginalFilename: 2252.exeProductName: TFhWkGProductVersion: 5.9.3.40703Assembly Version: 5.9.3.40703

MSIL/Injector.GCF also known as:

Bkav	W32.AIDetectNet.01
DrWeb	Trojan.Inject2.12821
FireEye	Generic.mg.7533ecc76fdde720
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
Cybereason	malicious.76fdde
BitDefenderTheta	Gen:NN.ZemsilF.34742.lm0@aOdXJqh
VirIT	Trojan.Win32.MSIL9.BIUI
Cyren	W32/Zbot.WU.gen!Eldorado
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Injector.GCF
APEX	Malicious
Kaspersky	HEUR:Trojan.MSIL.NetWire.gen
Avast	MSIL:GenMalicious-BBI [Trj]
Tencent	Malware.Win32.Gencirc.114c3912
Zillya	Trojan.Injector.Win32.358855
Trapmine	malicious.high.ml.score
Sophos	ML/PE-A
SentinelOne	Static AI – Malicious PE
Jiangmin	Trojan.Generic.lift
Avira	HEUR/AGEN.1221623
Cynet	Malicious (score: 100)
Acronis	suspicious
VBA32	CIL.StupidPInvoker-2.Heur
Ikarus	Trojan.Win32.Foxhiex
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Injector.GDW!tr
AVG	MSIL:GenMalicious-BBI [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (D)