Jump to content

[Threat] VBA/TrojanDownloader.Agent.MUV


Recommended Posts

Finally if one insists on enabling macros in Office apps, I would strongly recommend that the following HIPS rule be created on all endpoint devices. This rule will block all script executables from being spawned from an Office app.

Refer the the rule details given in this Eset KB article section. Note I duplicated the entire article section because there are "typo's" in the article:

Quote

III. Deny child processes from Office 2013/2016 processes

  1. In the HIPS rules window, click Add

KB6119Figure3-1.png

Figure 3-1

  1. Type “Deny child processes from Office 2013 processes” into the Rule name field.
     
  2. From the Action drop-down menu, select Block.

    Enable the following options:

    • Applications
    • Enabled
    • Logging severity (warning)
    • Notify user

Click Next

KB6119Figure3-2b.png

Figure 3-2

  1. In the Source applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files\Microsoft Office\Office15\POWERPNT.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
    • C:\Program Files (x86)\Microsoft Office\Office15\POWERPNT.EXE

Click Next

KB6119Figure3-3B.png

Figure 3-3

  1. In the Application operations window, click the slider bar next to Start new application to enable it. Click Next.

KB6119Figure3-4.png

Figure 3-4

  1. In the Applications window, click Add and type in the following file names, clicking OK and then Add after each one:
    • C:\Windows\System32\cmd.exe
    • C:\Windows\SysWOW64\cmd.exe
    • C:\Windows\System32\wscript.exe
    • C:\Windows\SysWOW64\wscript.exe
    • C:\Windows\System32\cscript.exe
    • C:\Windows\SysWOW64\cscript.exe
    • C:\Windows\System32\ntvdm.exe
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    • C:\Windows\System32\regsvr32.exe
    • C:\Windows\SysWOW64\regsvr32.exe
    • C:\Windows\System32\rundll32.exe
    • C:\Windows\SysWOW64\rundll32.exe

Add additional Office versions as needed, repeating the same instructions as above.

  • 2016 = Office16 (C:\Program Files (x86)\Microsoft Office\Root\Office16\...)
  • 2010 = Office14

Click Finish.

KB6119Figure3-5.png

Figure 3-5

 

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware#

 

 

Edited by itman
Link to post
Share on other sites
  • ESET Moderators
8 hours ago, itman said:

Finally if one insists on enabling macros in Office apps, I would strongly recommend that the following HIPS rule be created on all endpoint devices. This rule will block all script executables from being spawned from an Office app.

Refer the the rule details given in this Eset KB article section. Note I duplicated the entire article section because there are "typo's" in the article:

https://support.eset.com/en/kb6119-configure-hips-rules-for-eset-business-products-to-protect-against-ransomware#

 

 

Thanks itman, there are some html errors in kb6119 that we'll fix. 

Link to post
Share on other sites
54 minutes ago, foneil said:

Thanks itman, there are some html errors in kb6119 that we'll fix. 

Actually, the html errors are not what I am referring to. A few of the noted "Application" processes are missing the leading character on the .exe prefix; e.g.

  • C:\Windows\System32\tvdm.exe - should be C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\egsvr32.exe  - should be C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\egsvr32.exe  - should be C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\undll32.exe - should be C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\undll32.exe - should be C:\Windows\SysWOW64\rundll32.exe

Check the entire article for references to the above.

Link to post
Share on other sites
  • ESET Moderators
On 2/4/2020 at 3:45 PM, itman said:

Actually, the html errors are not what I am referring to. A few of the noted "Application" processes are missing the leading character on the .exe prefix; e.g.

  • C:\Windows\System32\tvdm.exe - should be C:\Windows\System32\ntvdm.exe
  • C:\Windows\System32\egsvr32.exe  - should be C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\egsvr32.exe  - should be C:\Windows\SysWOW64\regsvr32.exe
  • C:\Windows\System32\undll32.exe - should be C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\undll32.exe - should be C:\Windows\SysWOW64\rundll32.exe

Check the entire article for references to the above.

Thanks again, that KB has been fixed. 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...