Search
Keyword: URL
have any backdoor routine. It downloads a file from a certain URL then renames it before storing it in the affected system. It executes the downloaded files. As a result, malicious routines of the
downloaded file Get URL to download Sleep for 5 seconds Start a remote command prompt Delete itself and exit It connects to the following URL(s) to send and receive commands from a remote malicious user:
such as credit card numbers. When users agree to buy the software, it connects to the following URL to continue the purchase: http://{BLOCKED}.217.79/mac.php NOTES: It may also arrive on a system by
above-mentioned countries, it sends "WUUT" to 00000 . It also blocks incoming messages coming from the numbers above then connects to the URL below with parameters: http://{BLOCKED}.{BLOCKED}.146.102/?={premium
When users agree to buy the software, it connects to the following URL to continue the purchase: http://{BLOCKED}.{BLOCKED}.132.56/ http://{BLOCKED}megasoft.com/buy.php
it connects to the following URL to continue the purchase: http://{BLOCKED}edpaymentgate.com/buy.php? Connects to URLs/Ips, Displays windows
from the URL http://{BLOCKED}clip.com/n/{data}/{Application's name} . The name of the file contains strings related to the application. It automatically redirects to the following download sites:
from the following URL and renames the file when stored in the affected system: https://{BLOCKED}blue.com/images/html.exe It saves the files it downloads using the following names: %User Temp%\gidr.exe
accesses the following URL before download: {BLOCKED}1.{BLOCKED}5.141.87:13895/0704uk11/{COMPUTER NAME}/0/{OS VERSION}/0/{ENCRYPTED IP} {BLOCKED}1.{BLOCKED}5.141.87:13895/0704uk11/{COMPUTER NAME}/41/2/
Server.exe Backdoor Routine This worm executes the following commands from a remote malicious user: Access URL using Internet Explorer Download and execute arbitrary files Update copy It posts the following
\cmd.exe F/c start %cd%\{random file name}.exe %windir%\explorer %cd%\{target folder} It connects to random generated IP addresses with the following URL path: /install.htm /welcome.htm /index.htm /start.htm
from a remote malicious user: {C&C domain name}/{8 random characters}{hard-coded string} NOTES: This backdoor may use proxy connections by connecting to the URL {Proxy server name}:{Port Number} . The
URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components: val prime Other Details This Trojan takes advantage of the following
" NOTES: This trojan monitors the system's browsing activities and may redirect traffic to another URL when one of the following strings are found: Google Yahoo Facebook Bing Aol Youtube Msn Hotmail Gmail
security module. It will pop-up a screen which redirects the victim to the following URL which is a phishing site that pretends to be a bank's online banking portal to gather the victim's credentials.
EXIT - end malware process REBOOT - restarts the system It uses the following URL parameters: Before backdoor, sends the following status: page=gettask&build=00001&bid={ID} page=startsession&bid={ID}
accepts the following parameters: -a, --algo=ALGO cryptonight (default) or cryptonightite -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user=USERNAME
uninstalls a package execOpenUrl - opens a URL The said commands are obtained from the following URL: http://{BLOCKED}h.gongfu-android.com:8511/search/getty.php It reports the result (if it fails to complete
the following additional components to properly run: {malware path}\iusb3mon.dat -> also detected as TROJ_CVIRDAT.D NOTES: The downloaded configuration file contains the following information: URL of an
URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components: val prime Other Details This Trojan takes advantage of the following