Search

Details This Worm adds and runs the following services: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MaintenaceSrv Start = 2 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\MaintenaceSrv

* https://homebanking.swfinancial.org/commonfiles/HBLogins/Loginv* https://homebanking.usnmfcu.org/commonfiles/HBLogins/Loginv* https://iti.fnb-online.com/PBI_*/*NextLoginOption* https://ktt.key.com/ktt/cmd/logon 2 https://my.if.com/PlanReviewAct/plan.asp

This spyware is injected into all running processes to remain memory resident. It attempts to steal information, such as user names and passwords, used when logging into certain banking or

NEUREVT, also known as Beta Bot, was first spotted in the wild around March 2013. It was available in the underground market at a relatively cheap price. Once installed on the infected system, it

2 characters} = "{hex value}" Other Details This Trojan connects to the following possibly malicious URL: http://{BLOCKED}onbooster.com/wp-content/plugins/e1.php?{random letter}={random values}

2 characters} = "{hex value}" Other Details This Trojan connects to the following possibly malicious URL: http://{BLOCKED}generator.co.uk/wp-content/plugins/e4.php http://{BLOCKED

NEUREVT, also known as Beta Bot, was first spotted in the wild around March 2013. It was available in the underground market at a relatively cheap price. Once installed on the infected system, it

registry entries to disable the following system services: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\BITS Start = "4" (Note: The default value data of the said registry entry is 2 .)

.kwd .lbi .lcd .lcf .ldb .lgp .lp2 .ltm .ltr .lvl .mag It renames encrypted files using the following names: {file name}.POSHCODER NOTES: It encrypts the first 81,920 bytes of the file if the file size

\CurrentVersion\ Uninstall\Total Mail Converter_is1 InstallDate = "20191101" HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Microsoft\Windows\CurrentVersion\ Uninstall\Total Mail Converter_is1 MajorVersion = "2

and executes them: %Application Data%\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System directory {string2} = last four letters of a dll file

and executes them: %Application Data%\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System directory {string2} = last four letters of a dll file

and executes them: %Application Data%\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System directory {string2} = last four letters of a dll file

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user. Arrival Details

and executes them: %Application Data%\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under System directory {string2} = last four letters of a dll file

Start = "4" (Note: The default value data of the said registry entry is 2 .) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\wuauserv Start = "4" (Note: The default value data of the said registry

the following copies of itself into the affected system and executes them: %Application Data%\{string1}{string2}\{string1}{string2}.exe {string1} = first four letters of a dll file under %System%

copies of itself into the affected system and executes them: %Application Data%\{string1}{string2}\{string1}{string2}.exe where: {string1} = first four letters of a dll file under %System% directory

where: {string1} = first four letters of a dll file under %System% directory {string2} = last four letters of a dll file under %System% directory (Note: %System% is the Windows system folder, where it

" HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Microsoft\Windows\CurrentVersion\ Uninstall\Total Mail Converter_is1 MajorVersion = "2" HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Microsoft\Windows\CurrentVersion\ Uninstall