JS/CoinMiner.AH virus

[mar0507 0]

H, I am new to this forum.

i have recently been attacked by the above virus.  While my NOD32 warns me, and asks if I want to disconnect it if I run a scan NOD32 is unable to find it.  This happens twice, each time I connect to the internet using IE11.

Am I still vulnerable, and how can I stop the warnings?

[Peter Randziak 946]

Hello @mar0507,

there are multiple topics on the forum on this subject, see https://forum.eset.com/topic/17002-jscoinminerah-virus/

On 8/28/2018 at 3:53 PM, Marcos said:

To fix this, perform a factory reset of your router and install the latest version of firmware. It appears that your router was hacked. Are you using Mikrotik? What model?

 

Regards, P.R

[mar0507 0]

Hi Peter

 

Thank you for the quick response.  I did see that, but as my router is a greenpacket router, Model No. DT235. I didn't think it could be the same issue.

In relation to a factory reset, my ISP set up the router, and so I do not have the login details at hand to be able to upgrade the firmware and then reset it up with the correct details.

Thanks

[mar0507 0]

Hi

I now have an update on my JS/CoinMiner.AH virus.

I have reset the router, and it now has a new Name and Password, (as does the administrator), but I am still getting the same Disconnect Message.

The details of the so called virus are as per the attached file

I look forward to your response.  This is getting very frustrating to keep Disconnecting everytime.

 

 

[itman 1,538]

The URL shown is used for revoked certificate checking. And it is legit. It also has been referenced in prior BotNet infections.

If your router is indeed infected, a reset is not enough to remove the infection. The router's firmware must be updated.

-EDIT- What is happening is the IP address for a valid URL is being changed at the router level to one that is doing coin mining. Eset is detecting the coin mining activity originating from that IP address.

Additionally, the issue might not be related to the local installed router but the ISP router or like equipment might be infected.

The problem is severe in that necessary legit outbound activity such as in this instance, the checking for revoked certificates, is being hijacked. The result is the legit activity is never being performed.

Edited October 1, 2018 by itman

[mar0507 0]

Thank you itman

I have been informed by my ISP that the firmware is sent to the router automatically therefore it will be upto date.

They did advise that changing the password should sort it.

If I continue to hit disconnect, am I safe?

Thanks

[itman 1,538]

1 hour ago, mar0507 said:

They did advise that changing the password should sort it.

I am leery that this will fix the problem.

When you do this, make sure you also perform a factory reset while within the router's GUI. Pressing the reset button on the router does not perform a factory reset. A factory reset usually has to be done within the router GUI. Also, a factory reset will cause all custom router settings including device settings to be lost. This shouldn't be an issue with ISP router controlled set top TV boxes; the router should auto discovery those. But any other custom settings or devices will have to be set up manually again.

1 hour ago, mar0507 said:

If I continue to hit disconnect, am I safe?

Yes as far as this coin miner attack goes.

Edited October 1, 2018 by itman

[itman 1,538]

Will also add that Symantec has a check for VPNFilter router malware: http://www.symantec.com/filtercheck/ . Don't know how accurate it is or if can detect if the malware is present on a external device being connected to; i.e. ISP router devices, etc.. Doubt the later.