GCIH · Question #522
A user opened a PDF he downloaded from the web, that contained a URL to an executable called FreeCoupons.exe. The user downloaded and ran FreeCoupons.exe, and now that file is on the C:\ partition of
The correct answer is D. A worm that spreads through RDP. The most likely classification of this malware is a worm spreading through RDP. The failed logons in Event Viewer indicate attempts by the malware to spread through RDP. Since there was no human interaction to advance the malware beyond the initial execution of the file, this qua
Question
A user opened a PDF he downloaded from the web, that contained a URL to an executable called FreeCoupons.exe. The user downloaded and ran FreeCoupons.exe, and now that file is on the C:\ partition of 20% of the company's Windows servers. Additionally, there are a large number of failed logon attempts on the Event Viewer of each server, with little time between each failed logon, and common user IDs associated with each attempt. Based on this behavior, what is the most likely classification of the malware?
Options
- AA virus that spreads through SQL injection
- BA macro virus that spreads through infected PDFs
- CA social engineering attempt that spreads through email
- DA worm that spreads through RDP
How the community answered
(46 responses)- A22% (10)
- B4% (2)
- C9% (4)
- D65% (30)
Explanation
The most likely classification of this malware is a worm spreading through RDP. The failed logons in Event Viewer indicate attempts by the malware to spread through RDP. Since there was no human interaction to advance the malware beyond the initial execution of the file, this qualifies as a worm. Since failed logons occur on each server, this is not a multi-exploit worm. Additionally, the PDF and social engineering are both vectors to download the initial malware, but is not how it spreads. Based on the behavior, this malware is not a virus, and has nothing to do with SQL
Topics
Community Discussion
No community discussion yet for this question.