Search
Keyword: bat
copy may be any of the following: BAT CMD COM EXE PIF SCR Trojan-Downloader.Win32.Andromeda.adxa (Kaspersky), Win32/TrojanDownloader.Wauchos.L trojan (NOD32), Troj/Mdrop-FIL (Sophos Lite)
}romhellfromme12345.net/gate.php {BLOCKED}romhellfromme12345.net/upload.php NOTES: This spyware steals information from the following Mail/Messenger Application: Qip2005 Qip2010 QipInfium The Bat It steals user names and passwords
avoids encrypting files with the following file extensions: sys exe dll bat bin cmd com cpl gadget inf1 ins inx isu job jse lnk msc msi mst paf pif rgs scr sct shb shs u3p vb vbe vbs vbscript ws wsh wsf
{BLOCKED}x.pl/image.php http://{BLOCKED}g.pl/image.php http://{BLOCKED}n.ru/image.php NOTES: The extension name of the dropped copy is any of the following: bat cmd com exe pif scr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run {7 random numbers} = {7 random numbers} Other Details This Ransomware encrypts files with the following extensions: bin com exe bat png bmp dat log ini
drops the following file(s) as ransom note: {All affected directories}\readme.pdf It avoids encrypting files with the following file extensions: 386 adv ani bat bin blf cab cmd com cpl cur dat
following file extensions: com ani scr drv hta rom bin msc ps1 diagpkg shs adv msu cp prf bat idx mpa cmd msi mod ocx icns ics sp 386 lock sys rtp wpx diagcab theme deskthemepack msp cab ldf nomedia ic lnk
}cgrvkj.ru/in.php NOTES: The {extension name} of the dropped copy is any of the following: bat cmd com exe exe pif scr Win32/TrojanDownloader.Wauchos.A trojan (Eset), VirTool:Win32/CeeInject (Microsoft)
any information-stealing capability. NOTES: The extension name used in one of this backdoor's dropped copy may be any of the following: BAT CMD COM EXE PIF SCR It does not have rootkit capabilities. It
dropped copy is any of the following: bat cmd com exe exe pif scr Worm:Win32/Gamarue.I (Microsoft), Win32/TrojanDownloader.Wauchos.A trojan (Eset), Backdoor.Trojan (Symantec)
asm asp aspx avi awk bas bat bmp c cs cls clw cmd cpp csproj css ctl cxx def dep dlg dsp dsw eps f f77 f90 f95 fla flac frm gif h hpp hta htm html hxx ico idl inc ini inl java jpeg jpg js la mak
bmp inf txt manifest chm log ini tmp lnk cmd bat scr msi sys dll exe After successfully encrypting files on the infected system, it replaces the wallpaper with the image it drops in %All Users Profile%
ransom note Other Details This Trojan encrypts files with the following extensions: aes ARC asc asf asm asp avi bak bat bmp brd bz2 cgm class cmd cpp crt csr CSV dbf dch dif dip djv djvu DOC docb docm docx
\ Configuration {random numbers} = "{random hex values}" File Infection This Trojan avoids infecting the following file types: avi wav mp3 gif ico png bmp inf manifest chm log ini tmp lnk cmd bat scr msi sys dll
bin msp wpx bat sys spl scr icl rom msc ico LIVE Trojan:Win32/Filecoder.ARA!MTB (MICROSOFT) Downloaded from the Internet, Dropped by other malware Displays graphics/image, Drops files, Encrypts files
}onzmwuehky.nl/in.php http://{BLOCKED}ososoft.ru/in.php http://{BLOCKED}ph.su/in.php It deletes itself after execution. NOTES: Where {random extension} can be any of the following : bat cmd com exe pif scr It checks if
extensions: 3dm 3ds 3fr 3g2 3ga 3gp a2c aa aa3 aac accdb aepx ai aif amr ape apnx ari arw asf asp aspx asx avi azw azw1 azw3 azw4 bak bat bay bin bmp camproj cat ccd cdi cdr cer cert cfg cgi class cmf cnf conf
xlsb xlsm xlt xltm xltx xlw xml asp bat brd c cmd dch dip jar js rb sch sh vbs 3g2 fla m4u swf bmp cgm djv gif nef png db dbf frm ibd ldf myd myi onenotec2 sqlite3 sqlitedb paq tbk tgz 3dm asc lay lay6
}onzmwuehky.nl/in.php http://{BLOCKED}ososoft.ru/in.php It deletes itself after execution. NOTES: Where {random extension} can be any of the following : bat cmd com exe pif scr It checks if it is being run in a VMWare
\ List {malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:Mantle Acne" NOTES: The extension name of the dropped copy is any of the following: bat cmd com exe pif scr