Search
Keyword: ms07047 windows media player 936782
Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts) Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center
WINDOWS\inf\patch.exe WINDOWS\Installer\patch.exe WINDOWS\java\patch.exe WINDOWS\KB893803v2.log\patch.exe WINDOWS\MedCtrOC.log\patch.exe WINDOWS\Media\patch.exe WINDOWS\Microsoft.NET\patch.exe WINDOWS
finish_nested_data Function Heap Buffer Overflow Vulnerability (CVE-2017-12933) Web Client Common 1008745* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB17-36) - 4 1008939 - Adobe Flash Player
Acrobat Pro DC ImageConversion BMP Parsing Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2017-11253) 1009099 - Adobe Flash Player Type Confusion Vulnerability (CVE-2018-4944) 1009012* -
Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows
This Trojan has received attention from independent media sources and/or other security firms. To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown
execution at every system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run {random parameter 1}{random parameter 2} = "{malware path and file name}" Other Details This backdoor
filename}.txt ← saves gathered cookies content (Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and
Autostart Technique This Trojan Spy drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup: %User Startup%\{username} (Note: %User Startup% is
Extension}.part (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}
Temp%\2.exe (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.) It creates the
\v4.0.30319\mscorsvw.exe %System%\svchost.exe -k LocalServiceAndNoImpersonation %Windows%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe %System%\sppsvc.exe "%System Root%\Program Files\Windows Media Player
folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.) Other System Modifications This Trojan modifies the following registry entries:
file types: MS Office Files (.doc, .xls, .ppt, .mdb) Adobe PDF Files (.pdf) Archive Files(.zip, .rar) Program Application Files (.exe) Image Files (.gif, .png, .bmp, .jpg ) Media Files (.mp3, .wma) Other
file types: MS Office Files (.doc, .xls, .ppt, .mdb) Adobe PDF Files (.pdf) Archive Files(.zip, .rar) Program Application Files (.exe) Image Files (.gif, .png, .bmp, .jpg ) Media Files (.mp3, .wma) Other
\ Windows\CurrentVersion\Explorer\ Advanced HideFileExt = 1 (Note: The default value data of the said registry entry is 0 .) File Infection This file infector infects the following file types: MS Office Files
\ Windows\CurrentVersion\Explorer\ Advanced HideFileExt = 1 (Note: The default value data of the said registry entry is 0 .) File Infection This file infector infects the following file types: MS Office Files
and Windows Server 2012.) It drops the following files: %All Users Profile%\DRM\Media\line.dat %All Users Profile%\DRM\Media\D753DD1C.db %Temp%\temp.vih %User Profile%\Local Settings\Temporary Internet
This malware has been reported by several media outfits. It gets user information from cookies stored in certain web browsers. To get a one-glance comprehensive view of the behavior of this Trojan,
\Internet Explorer\README TO UNLOCK.txt %User Profile%\Cookies\README TO UNLOCK.txt %Application Data%\Microsoft\Media Player\README TO UNLOCK.txt %Application Data%\Microsoft\Windows Media\9.0\README TO