Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Trojan-Spy.Win32.WebCenter.a Information Disclosure

🗓️ 08 Feb 2021 00:00:00Reported by malvulnType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 255 Views

Trojan-Spy.Win32.WebCenter.a creates "webcenter" folder in "C:\Windows\SysWOW64", drops web.exe, allows attackers to view system info via TCP port 8

Code
`Discovery / credits: Malvuln - malvuln.com (c) 2021  
Original source: https://malvuln.com/advisory/e3cf225a94c6be5a26fc21a1ec83f418.txt  
Contact: [email protected]  
Media: twitter.com/malvuln  
  
Threat: Trojan-Spy.Win32.WebCenter.a  
Vulnerability: Information Disclosure   
Description: The trojan creates a dir named "webcenter" under "C:\Windows\SysWOW64" and drops various exes and html pages to return information about the infected system. Executable "web.exe" listens on TCP port 80, attackers who can reach the system can view various information about the infected system E.g. computer name, instant messenger accounts (software,proto,user/passwds), ports, processes etc  
  
INFECTED_HOST/cports.html  
INFECTED_HOST/cprocess.html  
INFECTED_HOST/mspass.html  
  
Type: PE32  
MD5: e3cf225a94c6be5a26fc21a1ec83f418  
Vuln ID: MVID-2021-0077  
Dropped files: web.exe  
Disclosure: 02/07/2021  
  
Exploit/PoC:  
TELNET INFECTED_HOST 80  
  
GET /cports.html HTTP/1.1  
  
  
Process Name Process ID Protocol Local Port Local Port Name Local Address Remote Port Remote Port Name Remote Address State Process Path Product Name File Description File Version Company Process Created On User Name Process Services  
Unknown 0 TCP 80 http 0.0.0.0 0.0.0.0 Listening N/A   
Unknown 0 TCP 80 http x.x.x.x 13497 x.x.x.x Time Wait N/A   
Unknown 0 TCP 80 http x.x.x.x 13498 x.x.x.x Time Wait N/A   
  
  
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2021 00:00Current
7.4High risk
Vulners AI Score7.4
trojan-spy.win32.webcenter.ainformation disclosurewebcenter" folderweb.exetcp port 80system info
255