Search
Keyword: os2first
for size must be greater than the malware code This Trojan will then infect the SYS files by overwriting the first 53,248 bytes (D000H) of the file. TrojanDropper:Win32/Sirefef.B (Microsoft);
parameters, the following message is displayed: The first usage sends random data to a target machine. This can be used to test if the remote desktop service in the target machine is enabled. The parameter with
HKEY_CURRENT_USER\Identities KillSelf = ok HKEY_CURRENT_USER\Identities First Start = {malware path and filename} HKEY_CURRENT_USER\Identities Send Inst = ok
Trend Micro has flagged this spyware as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically, this spyware sends sensitive data to a remote
This spyware opens a hidden Internet Explorer window. Arrival Details This spyware may be downloaded from the following remote site(s): http://alesolo.ru/new/controller.php?action=bot&entity_list
XLSTART folder first Saves the active workbook as STARTUP.XLS in the said folder if the file name does not already exist in the XLSTART folder Infects Microsoft Office Excel worksheet files by creating a
existence in order to run properly. The first component, TwitterNETBuilder.exe, is also detected by Trend Micro as TROJ_TWEBOT.BLD. When executed, it displays a graphical user interface (GUI) window where the
HKEY_LOCAL_MACHINE\SOFTWARE\{machine name} til = "Raider 8.05" HKEY_LOCAL_MACHINE\SOFTWARE\{machine name} tjs = "1" HKEY_LOCAL_MACHINE\SOFTWARE\{machine name} djs = "{date of first execution}" HKEY_LOCAL_MACHINE
malware copy first before opening the real folder. It then changes the attributes of the original folders into Hidden and System to trick the users.
existing folders. This is to execute the malware copy first before opening the real folder. It changes the attributes of the original folders into Hidden and System to trick the users. It also drops the
accessed. These .LNK files use random file names, names of the existing folders, and hardcoded file names. This enables the copy of the worm to execute first before opening the real folder. It then changes
Other Details Based on analysis of the codes, it has the following capabilities: This macro virus hooks the macro Auto_Open. It first checks for the file ECSYSTEM.xls under XLSTART directory. If it
.bmp .doc .gif .jpe .jpg .mp3 .mp4 .mpg .pdf .png .tif .txt .wav .wma .wmv .xls This routine enables the copy of the worm to execute first before opening the real folder or file. It then changes the
This malware sends email to all recipients listed in the MS Outlook address book. It also drops copies of itself in all drives and their subfolders. These dropped copies use the names of the folders
Other Details Based on analysis of the codes, it has the following capabilities: This macro virus hooks the macro Auto_Open. It first checks for the file StartUp.xls under XLSTART directory. If it
path and file name} NOTES: The malware creates a JavaScript in the %Startup% directory that functions as its autorun technique: {space}.jse The JavaScript executes the first malware copy ran in the
use names of the existing folders, and hardcoded file names. This is to execute the malware copy first before opening the real folder. It then changes the attributes of the original folders into Hidden
after the first execution. It also overwrites a randomly selected .SYS file in the following location: %System%\drivers\ This is detected by Trend Micro as RTKT_ZEROACCES.B. To choose the target .SYS
This Trojan deletes itself after execution. Installation This Trojan is injected into the following processes running in memory: explorer.exe Autostart Technique This Trojan drops the following file
This Trojan may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites. It