rawalanche

JS/Retefe.T trojan from SkypeBrowserHost.exe

Recommended Posts

Posted (edited)

Hello

today I have gotten a notification that a threat was removed from my computer. I am very responsible and careful, so this was a first time in years something like this has happened, and has me worried. It was a .js file with some long, hash-like string that was stored in %username%\AppData\Local\Microsoft\Windows\INetCache\IE\FREZXU48\ folder:

retefe.PNG.bbc235c53faa745c792f754f830489a4.PNG

Now, apparently this file was created and accessed by SkypeBrowserHost.exe, which is a component of Skype, that seems to share browser cache with Internet Explorer. The file is in a legit folder and it itself results in negative when tested by ESET Internet Security. I believe that SkypeBrowserHost.exe is specifically used to display ads in Skype using the IE framework.

I did not do anything questionable from security standpoint in recent days, or even months. I do not use, and have never used Internet Explorer in recent years. I don't think I've launched it once since last clean Windows install.

The way I see it there are two possibilities:

1, This is a false positive.

2, The advertising platform Skype uses to display ads has been compromised and SkypeBrowserHost.exe is being taken advantage of to deploy malicious software.

The latter option concerns me a bit. If that could be the case, shouldn't this be something that should be reported to Microsoft?

UPDATE:

I am getting this removed threat warning now every single time I launch Skype (Classic version for Windows desktop).

Edited by rawalanche
retefeler and voLwy like this

Share this post


Link to post
Share on other sites

Hello,

I am having exact same problem.

voLwy likes this

Share this post


Link to post
Share on other sites

Appears to be FP. We've stopped offering the latest update for now.

Peter Randziak likes this

Share this post


Link to post
Share on other sites

Thanks but it's not needed. We have got some examples from the LiveGrid feedback system.

Share this post


Link to post
Share on other sites
Posted (edited)

Having the same exact problem starting today - yesterday I had no problem when starting Skype. The file flagged was JS file, located in the same folder as OP stated.

Edited by Enriqo

Share this post


Link to post
Share on other sites

Same problem, whats happening to skype?

Share this post


Link to post
Share on other sites

Please see my comment above. Updates were stopped and the detection will be removed momentarily.

voLwy likes this

Share this post


Link to post
Share on other sites

The FP has been fixed and update resumed.

Share this post


Link to post
Share on other sites
Posted (edited)

It is already flagging some file in Chrome as well, not only in Skype. 

Untitled-1.jpg.d3b1bff67d627150ac31133b0db47a08.jpg

Edited by Enriqo

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.