Search
Keyword: URL
Downloads and execute arbitrary file (EXEC) - Executes command (GET) - Sends GET floods (HELP) - Print Commands (OPENURL) - Opens a URL using a hidden browser (POST) - Sends POST floods (QUIT) - Terminate
It connects to a URL to download its configuration file. It hooks certain APIs to perform its information stealing routine. This Trojan may be dropped by other malware. It may be unknowingly
\ Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302} DisplayName = "Search" HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302} URL =
posting messages in the aforementioned sites. The messages posted may contain a URL that leads to its copy. Worm Spreads via Facebook Private Messages, Instant Messengers Downloaded from the Internet,
=Recycled.scr shell\Auto\command=Recycled.scr Other Details This worm deletes the initially executed copy of itself NOTES: It injects itself into the created process svchost.exe. It connects to the following URL
information, and the URL where it sends its stolen data.
an encrypted file. It connects to a certain URL to get a list of active peers. This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when
file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Download Routine This Trojan downloads the file from the following URL and renames the file when
downloads the file from the following URL and renames the file when stored in the affected system: http://{BLOCKED}3.{BLOCKED}1.28.235/kwefewef/fgdsee/dxzq.jpg It saves the files it downloads using the
\tus5A0A.txt . It also connects to the URL {BLOCKED.{BLOCKED}.100/0502uk12/{computername}/0/{OS Version}-{Service Pack}/0/ to send information. The following information are posted: Computer name Operating
{random numbers} Information Theft This backdoor gathers the following data: User name Computer name OS type and version Processor information Drive information NOTES: In the URL it connects to, {uri} may
\Microsoft\ Internet Explorer\SearchScopes DisplayName = "Google" HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\SearchScopes URL = "http://www.google.com/cse?cx
applications. It is an installer package for New Player application. This adware connects to the following URL to get the data it will display on its installer: http://{BLOCKED}.mxp{version}.com/{random value} It
specify the algorithm to use scrypt scrypt(1024, 1, 1) (default) sha256d SHA-256d -o, --url=URL URL of mining server (default: http://127.0.0.1:9332/) -O, --userpass=U:P username:password pair for mining
downloaded files are exhibited on the affected system. It downloads a possibly malicious file from a certain URL. The URL where this malware downloads the said file depends on the following parameter(s) passed
usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.) It downloads a possibly malicious file from a certain URL. The URL where
pool cryptonight/2 cryptonight/half cryptonight/xtlv9 cryptonight/wow -wownero pool cryptonight/r -o, --url=URL = URL of mining server -O, --userpass=U:P = username:password pair for mining server -u,
content details backup paths password usernames Other Details This Trojan Spy does the following: It connect to the following url to receives instructions with an encoded public network range to scan:
the following: Connects to the following URL to download a file: http://{BLOCKED}o.{BLOCKED}ntabros.com/78234.bin Shows the following: executes the following commands to download and execute a file:
from the following URL and renames the file when stored in the affected system: http://{BLOCKED}.{BLOCKED}.191.97/soft/get.php?name=8aa7dee7 It saves the files it downloads using the following names: