Search
Keyword: ms07047 windows media player 936782
%\Internet Explorer\HOW TO DECRYPT FILES.txt %User Profile%\Cookies\HOW TO DECRYPT FILES.txt %Application Data%\Microsoft\Media Player\HOW TO DECRYPT FILES.txt %Application Data%\Microsoft\Windows
\Framework\v3.5\HOW TO DECRYPT FILES.txt %Program Files%\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HOW TO DECRYPT FILES.txt %Program Files%\Windows Media Player\HOW TO DECRYPT FILES.txt %Program
FILES.txt %User Profile%\Cookies\HOW TO DECRYPT FILES.txt %Application Data%\Microsoft\Media Player\HOW TO DECRYPT FILES.txt %Application Data%\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt %User
This backdoor was hosted in the compromised Gizmodo Brazil website. It starts out as a fake Adobe Flash Player download. To get a one-glance comprehensive view of the behavior of this Backdoor, refer
Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000, XP, and Server 2003, or C:\ProgramData on Windows Vista, 7, and 8. ) It adds the following
BBOS_ZITMO.B, and WINCE_ZBOT.B, which are for devices running on Symbian OS, BlackBerry OS, and Windows Mobile, respectively. This spyware may be dropped by other malware. It may be unknowingly downloaded by a
\YOUR_FILES_ARE_ENCRYPTED.HTML %Program Files%\Adobe\Reader 10.0\Reader\Javascripts\YOUR_FILES_ARE_ENCRYPTED.HTML %Program Files%\Windows Media Player\YOUR_FILES_ARE_ENCRYPTED.HTML %Windows%\pchealth\helpctr\PackageStore
%Application Data%\{random2} (Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\
man.zip.exe JetAudio v7.0.0.3001 Plus Vx.zip.exe Microsoft Money 2007.zip.exe LimeWire Pro 4.13.2.1.zip.exe Roxio Copy And Convert 3.4.0.zip.exe Windows XP Pro Essential Final.zip.exe Windows Vista Ultimate
where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows
iexplore.exe = "0" HKEY_USERS\.DEFAULT\Software\ Microsoft\Windows\CurrentVersion\ Internet Settings GlobalUserOffline = "0" HKEY_USERS\.DEFAULT\Software\ Microsoft\Windows\CurrentVersion\ Internet Settings
\HOW TO DECRYPT FILES.txt %Application Data%\Microsoft\Media Player\HOW TO DECRYPT FILES.txt %Application Data%\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt %User Profile%\Local Settings\HOW TO
\Microsoft\ Windows\CurrentVersion\Run Adobe Flash Player Installer = "%Windows%\taskmgrse.exe" Other System Modifications This Trojan deletes the following files: %Windows%\Microsoft.NET\Framework\v2.0.50727
%Application Data%\Microsoft\Media Player\HOW TO DECRYPT FILES.txt %Application Data%\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt %User Profile%\Local Settings\HOW TO DECRYPT FILES.txt %User Profile%
\Policies\ Explorer\Run HKEY_CURRENT_USER\Software\Microsoft\ Windows Media Center\5DFEB7D0 HKEY_CURRENT_USER\Software\Microsoft\ Windows Media Center\AD434845 It modifies the following registry entries:
filename}.exe - detected as BKDR_TOFSEE.RIG (Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server
which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.) It drops the following copies of itself into the affected system: %User Profile%
of Arborea (TERA.exe, ExLauncher.exe) Tibia Player (OTP.exe) World of Warcraft (wow.exe) Stolen Information This spyware sends the gathered information via HTTP POST to the following URL: http://
of Arborea (TERA.exe, ExLauncher.exe) Tibia Player (OTP.exe) World of Warcraft (wow.exe) Stolen Information This spyware sends the gathered information via HTTP POST to the following URL: http://
\program files (x86)\ :\programdata\ :\recovery\ :\recycler\ :\users\all users\ :\windows\ :\windows.old\ \appdata\local\ \appdata\locallow\ \appdata\roaming\adobe\flash player\ \appData\roaming\apple