Windows hack script

Got this in an email that was suspicious.
Looks like a windows script file that does something not so good.

Could anybody analyze and tell me what it does?
LVL 31
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pgm554Author Commented: appears to run a script that drops a back door and some other goodies.

It came in a zip file and passed at least 3 virus scans.
JohnBusiness Consultant (Owner)Commented:
It came in a zip file and passed at least 3 virus scans.

That is how Crypto Lock viruses come.
pgm554Author Commented:
From what I gather it appears to launch IE so that it can drop a backdoor downloader on top of the other commands .
I ran M$ essentials ,malwarebytes and avg and all seem clean.
Any virus scanners that look for script files in in compressed formats?
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

JohnBusiness Consultant (Owner)Commented:
I would be inclined to delete the email right away.
pgm554Author Commented:
That's been done.
It's perfectly harmless unless the extension is changed.
JohnBusiness Consultant (Owner)Commented:
I looked through the script briefly and cannot really see what it would do. So maybe just forget it until and unless you get another one.
David Johnson, CD, MVPOwnerCommented:
it is a javascript downloader.. my antivirus scanned it immediately
I did a document.write on one of the variables and removed the job entries

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sophos UTM picks this up as Troj/JSDldr-QU

Interesting that the VirusTotal page reckons Sophos does not pick it up as a threat when it definitely does. UTM runs Sophos and Avira for virus detection. Avast Business also picks this up though VirusTotal says no...

As David Johnson says, its a JavaScript downloader. The code is all obfuscated using character encoding. If you would like the raw javascript I can provide it to you in a text file decoded. They basically use a series of variables for text and a series of joins to bring the code together to execute. I know the code is malicious so I have not gone beyond that in say trying to debug and watch exactly what happens.
pgm554Author Commented:
Nice to know that there are so many ineffective virus scanners.
pgm554Author Commented:
Just for the heck of it ,I sent it to an Exchange server I manage and it got right through.

5 engines and it gets through.
pgm554Author Commented:
As a FYI, M$ Security Essentials scanned one of my laptops the other and quarantined the text file of the hack Downloader.JS.Nemucod.FJ

So two weeks to update the signature.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.