Skip to main content
Published Mar 16, 2021 | Updated Oct 03, 2022

Trojan:Win32/WebShellTerminal.A

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Microsoft Defender Antivirus detects and removes this threat. 

This trojan is associated with attacks that exploit vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. 

For more information and guidance from Microsoft about this threat, read the following blogs: 

Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protectionyour device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat. 

Microsoft Exchange Online customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the URL Rewrite Instructions in our Microsoft Security Response Center post. Microsoft has released a script to apply these mitigations against the SSRF vulnerability CVE-2022-41040, available at https://aka.ms/eomtv2. Microsoft has confirmed that the URL Rewrite Instructions discussed publicly can break current attack chains. 

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Follow us