Search
Keyword: vb
\VB and VBA Program Settings\ Explorer\Process LO = "1" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Schedule AtTaskMaxHours = "48" It modifies the following registry key(s)/entry(ies) as part
stc std sti stm stw stx svg swf sxc sxd sxg sxi sxm sxw tar tar.bz2 tbk tex tga tgz thm tif tiff tlg txt uop uot vb vbox vbs vdi vhd vhdx vmdk vmsd vmx vmxf vob wab wad wallet wav wb2 wk1 wks wma wmv
rb rc reg rka rm rtf sed sh shn shtml sln sql srt swa tcl tex tiff tta txt vb vcproj vbs wa v wma wv xml xsd xsl xslt It renames encrypted files using the following names: {original file name and
rm rom rpm rss rtf sav sdf sh slk sln sql srt svg swf swift tar tex tga tgz thm tif tiff tmp torrent ttf txt vb vcf vcxproj vob wav wma wmv wpd wps xhtml xla xlam xls xlsb xlsm xlsx xltx xml xps yuv
vssadmin.exe Delete Shadows /All /Quiet It avoids encrypting files with the following extensions: bas bat cmd com cpl lnk msi pif reg scr vb It avoids encrypting files within the following folder names:
sqlite sqlite3 sqlitedb sqr sr2 srf srw ssq stc std sti stw sum suo svg swf sxc sxd sxi sxm sxw syncdb t12 t13 tar tax tbk tcf tgz tib tif tiff tmd TMP tor trn txt ub uop uot upk vb vbs vcd vcf vdf vdi
\Software\VB and VBA Program Settings\ MSfirewall\Options HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ TypeLib\{420B2830-E718-11CF-893D-00A0C9054228} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ TypeLib\
\scs2.tmp (Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.) It adds the following registry keys: HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ MSfirewall\Options
\Software\VB and VBA Program Settings\ MSfirewall\Options HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ TypeLib\{420B2830-E718-11CF-893D-00A0C9054228} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ TypeLib\
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ MSfirewall\Options HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ TypeLib\{420B2830-E718-11CF-893D-00A0C9054228} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ TypeLib\
drive. It avoids encrypting files with the following extensions: vb scr reg pif msi exe com cmd bat bas It renames encrypted files using the following names: {5 to 10 alphanumeric
cpp dtd java vb bak py vcx proj sln rar xhtml prc cer rm log u3 dcf conf aes ico It renames encrypted files using the following names: {random characters}.nuclear55 It does the following: It prevents
Characters}.tmp" cmd /c %ProgramFiles%\WinRAR\rar.exe vb "{Fullpath of zip/rar file}" lpk.dll|find /i "lpk.dll" "%Program Files%\WinRAR\rar.exe" a -r -ep1"%User Temp%\IRA740.tmp" "{Fullpath of zip/rar file}" "
following registry keys: HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ 0\0 It adds the following registry entries: HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ 0\0 0 = "0
keys: HKEY_CURRENT_USER\Software\VB abd VBA Program Settings\ Microsoft\Sysinternals PROCID = {random number between 1000 and 9999} It deletes itself after execution. It checks if the following virtual
srf srt srw st4 st5 st6 st7 so st8 stc std sti stm stw stx svg swf sxc sxd sxg sxi sxm sxw tar tar.bz2 tbk tex tga tgz thm tif tiff tlg txt uop uot vb vbox vbs vdi vhd vhdx vmdk vmsd vmx vmxf vob wab
\sysras.exe" Other System Modifications This Trojan adds the following registry keys: HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ 2e7a6119\{random} It adds the following registry entries:
routine: HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ Windows\CurrentControlSet IP = 120.89.55.3 HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\Main Default_Search_URL =
swf sxc sxd sxg sxi sxm sxw tar tar.bz2 tbk tex tga tgz thm tif tiff tlg txt uop uot vb vbox vbs vdi vhd vhdx vmdk vmsd vmx vmxf vob wab wad wallet war wav wb2 wk1 wks wma wmv wpd wps x11 x3f xis xla
possibly malicious URL: {BLOCKED}.{BLOCKED}.6.203 Nimnul, Cosmu Highlights from VB 2011 Barcelona Downloaded from the Internet, Infects files Compromises system security, Steals information