What is “Win32/Injector.BGAU”?

The Win32/Injector.BGAU is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Win32/Injector.BGAU virus can do?

• Behavioural detection: Executable code extraction – unpacking
• SetUnhandledExceptionFilter detected (possible anti-debug)
• Yara rule detections observed from a process memory dump/dropped files/CAPE
• Creates RWX memory
• Possible date expiration check, exits too soon after checking local time
• Dynamic (imported) function loading detected
• Generates suspicious DNS queries indicative of DNS tunneling
• Reads data out of its own binary image
• A process created a hidden window
• CAPE extracted potentially suspicious content
• Unconventionial language used in binary resources: Albanian
• The binary likely contains encrypted or compressed data.
• Authenticode signature is invalid
• Uses Windows utilities for basic functionality
• Uses Windows utilities for basic functionality
• Behavioural detection: Injection (Process Hollowing)
• Executed a process and injected code into it, probably while unpacking
• Behavioural detection: Injection (inter-process)
• Created a process from a suspicious location
• Installs itself for autorun at Windows startup
• Attempts to modify browser security settings
• Creates a copy of itself
• Attempts to disable browser security warnings
• Anomalous binary characteristics
• Uses suspicious command line tools or Windows utilities

How to determine Win32/Injector.BGAU?

File Info:
name: 57EF447A5610AA22B2C1.mlw
path: /opt/CAPEv2/storage/binaries/49151d265e2fbe1f26bcd088f4a8bb85d0231c9e64cfb8cebd361e9ca4068664
crc32: FE7DD51A
md5: 57ef447a5610aa22b2c10d85cd3bf635
sha1: c29b9e6c4b264b812c6a482fed940028461fbb50
sha256: 49151d265e2fbe1f26bcd088f4a8bb85d0231c9e64cfb8cebd361e9ca4068664
sha512: bcce51d12d7c3e21283a3765f74b755c4bbef877331168b6f705e46a583c6d384e7ac5762ba6427f67737a107230d8a24cc4ea418fddfd05d8b533e8ba2f1a6f
ssdeep: 6144:ozxmrmL98OCabjcI9T6Z5P3CAHCf5pLiHppM/he6M36:owqOO7bHWmAHCf5pLo8nM
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1DB848D12B77DC926CA8169B2DC1109FC33511C8BFA54D27F19AAFF9A783C4F1A841D62
sha3_384: 40e5b822c7e44cf60af55925808586cb1785793e877efc83c9668196cb2aff0cd620348e819e1c3788526238a932f5ac
ep_bytes: 6848124000e8f0ffffff000000000000
timestamp: 2013-11-21 22:21:24

Version Info:
Translation: 0x041c 0x04b0
ProductName: Prüfmittelfähigkeit0
FileVersion: 7.05.0004
ProductVersion: 7.05.0004
InternalName: Palla
OriginalFilename: Palla.exe

Win32/Injector.BGAU also known as:

How to remove Win32/Injector.BGAU?

• Download and install GridinSoft Anti-Malware.
• Open GridinSoft Anti-Malware and perform a “Standard scan“.
• “Move to quarantine” all items.
• Open “Tools” tab – Press “Reset Browser Settings“.
• Select proper browser and options – Click “Reset”.
• Restart your computer.