Search
Keyword: URL
svchost.exe Backdoor Routine This backdoor executes the following commands from a remote malicious user: Sleep/Idle (2 minutes) Download and execute arbitrary file Update and uninstall itself Visit URL It
" NOTES: This trojan monitors the system's browsing activities and may redirect traffic to another URL when one of the following strings are found: Google Yahoo Facebook Bing Aol Youtube Msn Hotmail Gmail
=force&userid={userid} {domain}/h_check.php {domain}/h_info_ajax.php {check_domain}/h_check.php {check_domain}/h_info_ajax.php NOTES: The URL where this malware connects to displays pornographic content to lure
uninstalls a package execOpenUrl - opens a URL The said commands are obtained from the following URL: http://{BLOCKED}h.gongfu-android.com:8511/search/getty.php It reports the result (if it fails to complete
downloaded file Get URL to download Sleep for 5 seconds Start a remote command prompt Delete itself and exit It connects to the following URL(s) to send and receive commands from a remote malicious user:
=27&passphrase=fkjvhsdvlksdhvlsd&socks=0&version=27&crc=00000000 It then waits for the user to visit any target URL and injects codes to the said website. It does this by hooking certain APIs. It is also capable
When users agree to buy the software, it connects to the following URL to continue the purchase: http://{BLOCKED}.{BLOCKED}.132.56/ http://{BLOCKED}megasoft.com/buy.php
it connects to the following URL to continue the purchase: http://{BLOCKED}edpaymentgate.com/buy.php? Connects to URLs/Ips, Displays windows
from the URL http://{BLOCKED}clip.com/n/{data}/{Application's name} . The name of the file contains strings related to the application. It automatically redirects to the following download sites:
from the following URL and renames the file when stored in the affected system: https://{BLOCKED}blue.com/images/html.exe It saves the files it downloads using the following names: %User Temp%\gidr.exe
accesses the following URL before download: {BLOCKED}1.{BLOCKED}5.141.87:13895/0704uk11/{COMPUTER NAME}/0/{OS VERSION}/0/{ENCRYPTED IP} {BLOCKED}1.{BLOCKED}5.141.87:13895/0704uk11/{COMPUTER NAME}/41/2/
Server.exe Backdoor Routine This worm executes the following commands from a remote malicious user: Access URL using Internet Explorer Download and execute arbitrary files Update copy It posts the following
from a remote malicious user: {C&C domain name}/{8 random characters}{hard-coded string} NOTES: This backdoor may use proxy connections by connecting to the URL {Proxy server name}:{Port Number} . The
URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components: val prime Other Details This Trojan takes advantage of the following
URL. The URL where this malware downloads the said file depends on the following parameter(s) passed on to it by its components: val prime Other Details This Trojan takes advantage of the following
the URL path: ltype=ld&ccr=1&id={Disk serial number}&stat={attack status}&ver={Malware version}&loc={Location code}&os={OS Version} Win32/Trustezeb.C trojan (ESET) Downloaded from the Internet, Dropped
is capable of doing any of the following: Download and execute arbitrary files from specified URL by attacker Connect to remote IP addresses and port specified by attacker It connects to apk.{BLOCKED
security module. It will pop-up a screen which redirects the victim to the following URL which is a phishing site that pretends to be a bank's online banking portal to gather the victim's credentials.
accepts the following parameters: -a, --algo=ALGO cryptonight (default) or cryptonightite -o, --url=URL URL of mining server -O, --userpass=U:P username:password pair for mining server -u, --user=USERNAME
\cmd.exe F/c start %cd%\{random file name}.exe %windir%\explorer %cd%\{target folder} It connects to random generated IP addresses with the following URL path: /install.htm /welcome.htm /index.htm /start.htm