Search
Keyword: microsoft internet explorer
file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Installation This backdoor creates the following folders: %Program Files%\Microsoft System
2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista and 7.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings
\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.) It creates the following folders: %User Profile%\Application Data\VMware %User Profile%\Microsoft\Dr Watson (Note: %User Profile% is
\DOCUME~1\ADMINI~1 %User Profile%\LOCALS~1 %Program Files%\Common Files %Program Files%\Common Files\Microsoft Shared %Program Files%\Common Files\Microsoft Shared\Web Components %User Temp%\nsv3.tmp (Note:
\longzhmset" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Uninstall\ IE6.0 UninstallString = "%System%\LONGZHM\setup\setup.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services
startup: HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run Wilbert1 = "%System%\regsvr32.exe %User Profile%\GOOGLE_I9\Wilbert1.jpg " HKEY_CURRENT_USER\Software\Microsoft\ Windows
name} on Windows Vista and 7.) It creates the following folders: %User Profile%\Application Data\SubFolder %User Profile%\SubFolder\SubFolder %User Profile%\Microsoft\Backups (Note: %User Profile% is the
Server 2012.) Autostart Technique This Trojan adds the following registry entries to enable its automatic execution at every system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion
at every system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run HKLM = "%Windows%\InstallDir\java.exe" HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run HKCU =
\dd_WIC.txt %User Temp%\dd_XPS.txt %User Temp%\Microsoft .NET Framework 4 Setup_20111016_234618578-MSI_netfx_Core_x86.msi.txt %User Temp%\Microsoft .NET Framework 4
7.) Autostart Technique This Trojan adds the following registry entries to enable its automatic execution at every system startup: HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run Java
{user name} on Windows Vista and 7.) Autostart Technique This spyware adds the following registry entries to enable its automatic execution at every system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
registry keys: HKEY_CURRENT_USER\Software\Microsoft\ {random key 1} HKEY_CURRENT_USER\Software\Microsoft\ {random key 2} HKEY_CURRENT_USER\Software\Microsoft\ {random key 3} HKEY_CURRENT_USER\Software
registry keys: HKEY_CURRENT_USER\Software\Microsoft\ {random key 1} HKEY_CURRENT_USER\Software\Microsoft\ {random key 2} HKEY_CURRENT_USER\Software\Microsoft\ {random key 3} HKEY_CURRENT_USER\Software
\Microsoft (Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.) Autostart Technique This Trojan Spy registers itself as a system service to ensure
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run netflame4.0 = "%User Profile%\netflame4.0.exe" Other System Modifications This Trojan Spy deletes the following files: %Windows%\LastGood.Tmp %Windows%
{493B0762-713A-40B1-B5CF-89A1FB79F67E}" Dropping Routine This Trojan Spy drops the following files: %All Users Profile%\Microsoft\Network\Downloader\qmgr1.dat %All Users Profile%\Microsoft\Network\Downloader\qmgr0.dat %All Users Profile
\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).) It creates the following folders: %User Profile%\Application Data\Microsoft\Forms (Note: %User Profile% is the
\SrCreateRp (Enter) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ services\VSS\Diag\ SystemRestore\SrCreateRp (Leave) HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows NT\CurrentVersion\SystemRestore\ Volatile It
8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).) Other System Modifications This Trojan modifies the following file(s): %Application Data%\Microsoft\Office\Word12.pip (Note: %Application Data% is the