Search
Keyword: URL
This spyware connects to a certain URL to download its configuration file. As of this writing, the said site is inaccessible. This spyware may be unknowingly downloaded by a user while visiting
the following names: %User Temp%\m.ini - this configuration file should contain the version of the malware and another URL where it will connect to download another possibly malicious file. (Note: %User
bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post. The
Trojan deletes the initially executed copy of itself Rogue Antivirus Routine When users agree to buy the software, it connects to the following URL to continue the purchase: {BLOCKED}leach.org {BLOCKED
Other Details This Trojan deletes the initially executed copy of itself Rogue Antivirus Routine When users agree to buy the software, it connects to the following URL to continue the purchase: {BLOCKED
Temp%\nsr2.tmp\registry.dll %User Temp%\nsr2.tmp\dllstub.exe %User Temp%\nsz4.tmp\inetc.dll %User Temp%\nsz4.tmp\output.txt URL Parts Error (Note: %User Temp% is the current user's Temp folder, which is
finance-related institutions depending on the contents of the configuration file. The configuration file also contains the drop zone where it sends stolen information, the URL where the configuration file can be
bank information, such as user names, passwords, or card codes. The stolen information could then be sent to a predetermined email address, to drop zones in hosted servers or to a URL via HTTP post. The
connects to the following URL in order to get target banking sites: http://www.{BLOCKED}n.co.kr/data/review/b9.txt It monitors if the user access one of the following URLs from banking sites:
Antivirus Routine This Trojan displays the following fake alerts: When users agree to buy the software, it connects to the following URL to continue the purchase: http://{BLOCKED}.{BLOCKED}.29.179/api/urls/
to buy the software, it connects to the following URL to continue the purchase: http://{BLOCKED}already.org/customers/buy.php http://{BLOCKED}esmoines.org/customers/buy.php http://{BLOCKED
{value} Rogue Antivirus Routine This Trojan displays the following fake alerts: When users agree to buy the software, it connects to the following URL to continue the purchase: http://www.{BLOCKED
the initially executed copy of itself NOTES: The URL where it connects to is randomly generated using a randomizing function, which is computed based on the system's current date. The download file is
(s) to check for an Internet connection: http://www.google.com http://www.bing.com It deletes the initially executed copy of itself NOTES: The URL where it connects is randomly generated using a
execute arbitrary file (EXEC) - Executes command (GET) - Sends GET floods (HELP) - Print Commands (OPENURL) - Opens a URL using a hidden browser (POST) - Sends POST floods (QUIT) - Terminate itself (SHELL
affected system: FTP credentials Internet session cookies Flash player data Personal certificates NOTES: The URL it accesses to download its configuration file has randomly generated strings depending on the
The configuration file also contains the drop zone where it sends stolen information, the URL where the configuration file can be downloaded, the codes for web injection, and the monitored URLs.
URL specified in the registry value DN in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock . It saves the downloaded file as {malware path}\CTFM0N.EXE , then executes it. It
information to its C&C server: data dnsname domain ext_ip host hostname install_time is_admin lb login nick os pass qbot_version qbot_version time url user It gathers passwords by monitoring the following
If the user agrees to activate the software, it accesses the URL http://{BLOCKED}tbiz.com/p/?&lid=3060001&affid=56300&nid=982BC1DA&group=liv . The user is redirected to the following page: It also