Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


WM/Agent!tr in word doc

  • Please log in to reply
1 reply to this topic

#1 zulea


  • Members
  • 2 posts
  • Local time:11:55 PM

Posted 04 September 2015 - 01:27 PM

I have a user on our network that opened a word doc that got emailed to him. we have a watchgaurd firewall. it missed it. We have antivirus running on the firewall. it missed it. We have AVG Business edition on the desktops. It missed it. This was a windows XP pc. running Open Office. 


The file was opened and then the user called because he could not see the "Resume" he got emailed. (Ugh). 


So we forwarded the email to me. then deleted it from his machine.


I ran a scan on it from AVG to double check. Nothing.

I then used a website to run multiple scans on it. Only 2 of 42 scanners used at this site flagged it as bad.

Arcabit called it HEUR.VBA.Trojan

Fortinet called it WM/Agent!tr


After reading about what it does I have a couple of questions. 

1. Would it have run since the user had OpenOffice instead of MS Office? I have a feeling yes but...

2. It sounds like most variants of this try to open a port other than 80 to get to the server they are trying to contact. since most all of our ports are closed should we be ok? 

3. Thoughts on how to figure out what port this specific one tried to use?



BC AdBot (Login to Remove)


#2 doctorphibes1


  • Members
  • 10 posts
  • Local time:01:55 AM

Posted 04 September 2015 - 03:46 PM

OpenOffice can run Microsoft VBA code natively, though there are some APIs of VBA that are not supported, or are only partially supported. I would personally disable running macros automatically in office suites. LibreOffice does this out of the box I believe.


To determine which IP/Port is being used by a given program, type the following command in command prompt...
NETSTAT -p tcp -ano 
This can display the process identifier (ID) that is associated with each connection. This information can be used to determine which process (program) listens on a given port. For example, the netstat -ano command can produce the following output:
Proto Local Address Foreign Address State PID
TCP Listening 888
If you use Task Manager, you can match the process ID that is listed to a process name (program). This feature enables you to find the specific port that a program currently uses. Because this specific port is in use already by a program, another program is prevented from using that same port.
Launch Task Manager, click 'Start', then 'Run', and enter TASKMGR.EXE.
Go to the PROCESSES tab. If you do not see a PID column, click VIEW, SELECT COLUMNS, and then click to select the PID check box.
Click the column header that is labeled "PID" to sort the process by their PIDs. You should be able to easily find the process ID and match it to the program that is listed in Task Manager.
If you know a program will be listening on port 21 for example, you can further focus the output by using 'findstr', such as
netstat -p tcp -ano | findstr :21
This will search the netstat output for any entry that is using port 21. You can specify :22 instead of :21 to find services listening on port 22.
Hope I got this right...it's been a while :)
Good luck
Sry just saw the OS. The o switch may not work on XP but it's worth a try. You can also use netstat -anp tcp -b and it will show you all the ports and services that are running as long as you are using xp

Edited by doctorphibes1, 04 September 2015 - 04:00 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users