Search
Keyword: ms07047 windows media player 936782
Vulnerability DHCP Client 1000861* - Microsoft Windows DHCP Client Service Remote Code Execution DNS Client 1002537* - Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability 1002358* - Adobe
Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows
Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows
%Windows%\eHome ehshell.exe = "Windows Media Center" HKEY_CURRENT_USER\Software\Classes\ Local Settings\Software\Microsoft\ Windows\Shell\MuiCache\ %Program Files%\MICROS~1\Office12 OIS.EXE = "Microsoft
].txt!-==kronstar21@gmail.com=--.crypt %User Profile%\Media Player\UserMigratedStore_59R.bin!-==kronstar21@gmail.com=--.crypt %User Profile%\Cookies\wilbert@msnportal.112.2o7[1].txt!-=
Navigator\User Trusted External Applications %Program Files%\Windows Media Player\wmplayer.exe = "Yes" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Multimedia\WMPlayer\MIME Types\ audio/x-ms-wax UserApprovedOwning
\SOFTWARE\Microsoft\ MediaPlayer MP2.SaveDir = "%Program Files%\Windows Media Player" (Note: The default value data of the said registry entry is %Program Files%\Windows Media Player .) HKEY_CURRENT_USER
Navigator\User Trusted External Applications %Program Files%\Windows Media Player\wmplayer.exe = "Yes" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Multimedia\WMPlayer\MIME Types\ audio/x-ms-wax UserApprovedOwning
Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.) It drops the following copies of itself into the affected system:
- contains the list of all infected files for ransom (Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server
Users%\{random}.txt - contains the list of all infected files for ransom (Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000,
Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7) Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0) Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) Mozilla/1.22
%User Temp%\is1438683437 (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.) Other
%User Temp%\is1373634743 (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.) Other
%User Temp%\is415804647 (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.) Other System
\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.) It creates the following folders: %Application Data%\
\AdobeARMI.exe %Program Files%\icq\shared folder\K-Lite Mega Codec v5.5.1.exe %Program Files%\icq\shared folder\YouTubeGet 5.4.exe %Program Files%\icq\shared folder\Windows 2008 Enterprise Server VMWare Virtual
VanDyke Visicom Media AceFTP WinFTP It attempts to steal stored email credentials from the following: BatMail IncrediMail Microsoft Outlook Pocomail RimArts Becky! Internet Mail Thunderbird Windows Live
Keygen Windows XP Media Center Keygen.exe YIM HAcker 2008.exe YIM HAcker 2009.exe It checks the user name of the system and does not execute when the user name is any of the following: CurrentUser UserName
however, led them to download a bogus Adobe Flash Player update (detected by Trend Micro as TROJ_DLOAD.QK ). This connects to a URL to download TROJ_INJECT.ZZ, which dropped TROJ_ROOTKIT.FX. Normal 0 false