Home / malware Worm:Win32/Vexral.A
First posted on 04 June 2019.
Source: MicrosoftAliases :
Worm:Win32/Vexral.A is also known as Win32.HLLW.IRCBot.69, Win32/Agent.NIS worm, Net-Worm.Win32.Cynic.q.
Explanation :
Worm:Win32/Vexral.A is malware that posts messages that contain a hyperlink to a copy of the worm on affected user account pages of certain social networking websites. The worm could capture sensitive information including logon credentials by monitoring web browser activity and also allow unauthorized remote access by an attacker.InstallationThis worm may be encountered when visiting a hyperlink pointing to a copy of the worm hosted on a remote server or within an instant message. When run, the worm injects code into the running processes Explorer.exe and Winlogon.exe. It also drops copies of itself as the following file name containing some random characters: %windir%System32 mp_
.exe %APPDATA mp_ .exe Spreads via... Social networking and chat messagesThe worm may post a message with hyperlink pointing to a copy of the worm, by using one of the following social networking website or applications: Gtalk Instant Messaing Twitter status update Hi5 status update LinkedIn status update Facebook status update Facebook instant chat MySpace status update Hyves Status update Omegle Chat Ebuddy Instant message Payload Communicates with a remote serverWorm:Win32/Vexral.A may connect to a remote Internet Relay Chat (IRC) server to accept commands from a remote attacker. The worm could be instructed to upload or download arbitrary files. Captures sensitive dataThe worm captures sensitive data, which could include login credentials, by monitoring user web browsing of websites that have any of the following strings in the web address: login_password hackforums.net quick_username quick_password brazzers.com username password thepiratebay.org what.cd megaupload.com hotfile.com user pass fileserve.com loginUserName loginUserPassword :2222 :2082 :2083 :2086 :2087 user= pass= Analysis by Jaime Wong Last update 04 June 2019