Search
Keyword: bat
the initially executed copy of itself NOTES: This worm uses any of the following extension names for its dropped copy: bat cmd com exe pif scr It moves the files from {drive letter}:\ to a created
Details This backdoor connects to the following URL(s) to check for an Internet connection: www.update.microsoft.com NOTES: The {extension name} of the dropped copy is any of the following: bat cmd com exe
NOTES: The {extension name} of the dropped copy is any of the following: bat cmd com exe pif scr It does not have rootkit capabilities. It does not exploit any vulnerability. Worm:Win32/Gamarue.F
following: bat cmd com exe pif scr It checks if it is being run in a VMWare environment. If it is being run in a VMWare environment, it performs another routine where it will open Port 8000 and listen for a
http://{BLOCKED}.{BLOCKED}.169.79/bn_versions/9.exe" "%Application Data%\Microsoft\f0xyupdate.exe"" It performs the following C&C commands: basic bat download filename gate get knock port srv uri It
itself NOTES: The {extension name} of the dropped copy is any of the following: BAT CMD COM EXE PIF SCR Worm:Win32/Gamarue.AN (Microsoft); Backdoor.Win32.Androm.fddz (Kaspersky) Spammed via email,
bat cmd com exe pif scr Dropped by other malware Connects to URLs/IPs
extensions: 000 1CD AFN ANI AST BAT BIN CAB CFG CHK CHM CMD COM CUR DAT DBF DBS DBX DEV DLL DMP DOC DRV DT DUN EFI EXE GIF HLP HTA HTM ICO INF INI ISP ISW JA JPG JS LNG LNK LOG MBR MDB MDF MP3 MSI MSU MUI NFO
exe dll sys msi mui inf cat bat cmd ps1 vbs ttf fon lnk .386 Ransom:Win64/QuantumLocker.AA!MTB (MICROSOFT) Downloaded from the Internet, Dropped by other malware Disables AV, Drops files, Displays
following mail client applications. Windows Mail %localappdata%\Microsoft\Windows Mail\Local Folders .eml The Bat! %localappdata%\The Bat! Mail Clients\The Bat\Local .TBB .TBN .MSG .EML .MSB .mbox .ABD .FLX
directory}\README.TXT It avoids encrypting files with the following file extensions: 386 adv ani bat bin cab cmd com cpl cur deskthemepack diagcab diagcfg diagpkg dll drv exe hlp hta icl icns ico ics idx key
the following as first extension name) DAT ELM LOG MSG TXT (with any of the following as second extension) BAT CMD EXE PIF SCR ZIP Except for the file name Update-KB{random numbers}-x86 , which always
backdoor connects to the following URL(s) to check for an Internet connection: www.update.microsoft.com NOTES: The {extension name} of the dropped copy is any of the following: bat cmd com exe exe pif scr It
{extension name} of the dropped copy is any of the following: BAT CMD COM EXE PIF SCR Downloaded from the Internet, Dropped by other malware Compromises system security, Connects to URLs/IPs
WORM_GAMARUE.WE where {extension name} can be any of the following: BAT CMD COM EXE PIF SCR (Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local
for an Internet connection: www.update.microsoft.com NOTES: The {extension name} of the dropped copy is any of the following: BAT CMD COM EXE PIF SCR Worm:Win32/Gamarue.I (Microsoft),
mkv 3gp mp4 mov avi asf mpeg vob mpg wmv fla swf wav mp3 sh class jar java rb asp php jsp brd sch dch dip pl vb vbs ps1 bat cmd js asm h pas cpp c cs suo sln ldf mdf ibd myi myd frm odb dbf db mdb accdb
inaccessible. NOTES: This Trojan does not encrypt files with the following extensions: chm ini tmp log url lnk cmd bat scr msi sys dll exe It deletes shadow copies by executing the following command: vssadmin.exe
Ransomware Routine This Ransomware encrypts files with the following extensions: 3dm 3ds 3g2 3gp 7z accdb ai aif apk app asf asp aspx avi bak bat bmp c cbr cer cfg cfm cgi class com cpp cs css csv dat db dbf
extensions: 3gp aac ans ape asc asm asp aspx avi awk bas bat bmp c cs cls clw cmd cpp csproj css ctl cxx def dep dlg dsp dsw eps f f77 f90 f95 fla flac frm gif h hpp hta htm html hxx ico idl inc ini inl java