Search

following copies of itself into the affected system and executes them: %Application Data%\Microsoft\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System

following copies of itself into the affected system and executes them: %Application Data%\Microsoft\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System

following copies of itself into the affected system and executes them: %Application Data%\Microsoft\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System

%Application Data%\Microsoft\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System directory {string2} = last four letters of a dll file under

following copies of itself into the affected system and executes them: %Application Data%\Microsoft\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System

/HomeRegAccess10 Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %User Temp%\~qqkyubo.inf %System%\PING.EXE ping -n 2 127.0.0.1 (Note: %User Temp% is the current user's Temp folder, which is usually C:

other financial institutions: Amazon Bank of America Blogger Chase Citibank Citizens Citizens Bank Clydesdale Comerica Ebay Fifth Third First Citizens Bank First Tennessee Flickr Frost Bank HSBC Halifax

copies of itself into the affected system and executes them: %Application Data%\Microsoft\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under %System%

copies of itself into the affected system and executes them: %Application Data%\Microsoft\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System

copies of itself into the affected system and executes them: %Application Data%\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under %System% directory

copies of itself into the affected system and executes them: %Application Data%\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under %System% directory

copies of itself into the affected system and executes them: %Application Data%\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under %System% directory

Barclays Davivienda First Direct HSBC Stolen Information This Trojan sends the gathered information via HTTP POST to the following URL: http://{BLOCKED}ttoo.cc/yahooman.php Variant Information This Trojan

command-line parameters and if the first parameter is -l , it listens to the port specified by the second command-line parameter. This Trojan may be dropped by other malware. Arrival Details This Trojan may be

https://www.towerfcu.org/onlineserv/HB/UserOptions.cgi?runmode=ForgottenPassword !*.microsoft.com/* It attempts to steal information from the following banks and/or other financial institutions: Barclays Citibank Ebay Facebook First Direct GAD IS Bank

other financial institutions: Comm100 Live Chat Direkt Print Facebook Google Mail LivePerson McAfee Me.dium Microsoft Myspace Sbisec Twitter YouTube ANZ Barclays NSBC HSBC First Direct Drop Points Stolen

steal information from the following banks and/or other financial institutions: Alliance & Leicester Barclays First Direct HSBC Natwest Santander Drop Points Stolen information is uploaded to the

Barclays Citibank Co-Operativebank Crédito Agrícola On-Line First Direct HSBC ING Direct Lloyds Microsoft Myspace OSPM Odnoklassniki Raiffeisen Santander Smile Vkontakte Attacked Entities This

information from the following banks and/or other financial institutions: ING DIRECT USA First Citizens Bank Eastwest Bank Web Cash Manager PNC Bank Union Bank Associated Bank Business Internet Banking

Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %User Temp%\~qqkyubo.inf %System%\PING.EXE ping -n 2 127.0.0.1 (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and