Skip to main content
Skip to main content
Microsoft Security Intelligence
Published Mar 16, 2021 | Updated Oct 03, 2022

Trojan:Win32/WebShellTerminal.A

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Microsoft Defender Antivirus  detects and removes this threat. 

This trojan  is  associated with attacks that exploit  vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker.  

For more information and guidance from Microsoft about this threat, read the following blogs:  

Microsoft Defender Antivirus  automatically removes threats as they are detected. If you have cloud-delivered protectionyour device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat. 

Microsoft Exchange Online customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the URL Rewrite Instructions in our  Microsoft Security Response Center post . Microsoft has released a script to apply these mitigations against the SSRF vulnerability CVE-2022-41040, available at  https://aka.ms/eomtv2 . Microsoft has confirmed that the URL Rewrite Instructions discussed publicly can break current attack chains.  

You can also visit our  advanced troubleshooting page  or search the Microsoft  virus and malware community for m ore help.

Follow us