TROJ_VALYRIA is a password protected Microsoft document file containing malicious scripts embedded in its document body (detected as VBS_NEMUCOD). NEMUCOD, a script malware known through its highly obfuscated “download and execution” script, is now evolving from JavaScript to a Visual Basic Script malware.
As a Payload, TSPY_URSNIF is downloaded by VBS_NEMUCOD, stealing users’ information and then attempting to send and receive information from a certain host URL.
Click image to enlarge
Anti-Spam Pattern
Layer | Detection | Pattern Version | Release Date |
---|---|---|---|
INFECTION | VBS_VALYRIA.A | 13.413.00 | 5/18/2017 14:07 |
INFECTION | VBS_VALYRIA.B | 13.413.00 | |
INFECTION | VBS_VALYRIA.C | 13.413.00 | |
INFECTION | VBS_VALYRIA.D | 13.413.00 | |
INFECTION | VBS_VALYRIA.E | 13.413.00 | |
INFECTION | VBS_VALYRIA.F | 13.413.00 | |
INFECTION | VBS_VALYRIA.G | 13.413.00 | |
INFECTION | VBS_VALYRIA.H | 13.413.00 | |
INFECTION | VBS_VALYRIA.I | 13.413.00 | |
INFECTION | TROJ_VALYRIA.GAS | 13.413.00 | |
INFECTION | TROJ_VALYRIA.GGA | 13.413.00 | |
INFECTION | TROJ_VALYRIA.LNKA | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOC | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCA | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCB | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCC | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCD | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCE | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCF | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCG | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCH | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCI | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCJ | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCK | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCL | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCN | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DOCQ | 13.413.00 | |
INFECTION | TROJ_VALYRIA.DP | 13.413.00 | |
INFECTION | TROJ_VALYRIA.GQA | 13.413.00 | |
INFECTION | TROJ_VALYRIA.FQA | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AQX | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQO | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQP | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQQ | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQR | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQS | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQT | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQU | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQV | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQW | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQX | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQY | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSQZ | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSRA | 13.413.00 | |
INFECTION | TROJ_VALYRIA.AUSRB | 13.413.00 | |
INFECTION | TSPY_URSNIF.GQA | 13.417.00 | 5/20/2017 11:38 |
Web Reputation (Malicious URL’s and Classification)
Layer | URL | Rating | Release Date |
---|---|---|---|
EXPOSURE | {blocked}185.189.14.193/odg.jd | Malware Accomplice | 3/20/2017 |
EXPOSURE | hxxp://{blocked}91.210.166.142/skdata.sql | Malware Accomplice | 5/18/2017 |
EXPOSURE | hxxp://{blocked}91.210.166.142/skdata.sql | Malware Accomplice | 5/18/2017 |
EXPOSURE | hxxp://urbansoft{blocked}.cc/sql.db | Malware Accomplice | 5/11/2017 |
EXPOSURE | hxxp://{blocked}185.188.183.206/report.prt | Disease Vector | 4/21/2017 |
EXPOSURE | hxxp://aura-proprete{blocked}.fr/sck.txt | Disease Vector | 4/25/2017 |
EXPOSURE | hxxp://{blocked}185.195.25.79/5324.csv | Malware Accomplice | 5/18/2017 |
EXPOSURE | hxxp://coloctionneur{blocked}.fr/license.csv | Malware Accomplice | 5/18/2017 |
EXPOSURE | hxxp://{blocked}91.210.164.3/22.dob | Malware Accomplice | 5/18/2017 |
EXPOSURE | hxxp://{blocked}185.188.183.235/img.jpt | Malware Accomplice | 4/13/2017 |
EXPOSURE | hxxp://legadodevelopmentgroup{blocked}.com/tmp.pkg | Malware Accomplice | 5/5/2017 |
Web Reputation (Malicious URL’s and Classification)
Layer | Detection | Pattern Version | Release Date |
---|---|---|---|
AEGIS | 4914T | OPR 1671 | 6/14/2017 |
Solution Map - What should customers do?
Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
---|---|---|---|---|---|---|---|
OfficeScan | 11 SP1 above | Update Pattern via web console | Update Pattern via Web console | Enable Web Reputation Service* | Update Pattern via web console | Not Applicable | Update Pattern via web console |
Worry-Free Business Suite | Standard | Not Applicable | |||||
Advanced/MSA | Update Pattern via web console | ||||||
Hosted | |||||||
Deep Security | 8.0 and above | Not Applicable | Update Pattern via web console | Not Applicable | Update Pattern via web console | ||
ScanMail | SMEX 10 and later | Not Applicable | Update Pattern via Web console | Not Applicable | |||
SMD 5 and later | |||||||
InterScan Messaging | IMSVA 8.0 and above | ||||||
InterScan Web | IWSVA 6.0 and later | ||||||
Deep Discovery | DDI 3.0 and later | Not Applicable | Update Pattern via web console |
Recommendations
- Recommendations on how to best protect your network using Trend Micro products
- Setting actions in password protected Microsoft (MS) documents for InterScan Messaging Security (IMSx) products
- Submitting suspicious or undetected virus for file analysis to Technical Support