Jump to content

ESET I.S. Agressively blocking URL, can't find app


Recommended Posts

  • Most Valued Members
9 hours ago, Vince said:

no more popups alert for me with HIPS rules, or without HIPS rules.

After a Deep Scan  :

2121482963_esetbittorent.thumb.jpg.c63e2fd15c11f58bfa8089034f698ac9.jpg

Most likely it was gone when you have manually quarantined the malicious javascript file

The detection of bitTorrent has nothing to do with it , switch to Deluge/qBittorent if you want a better client.

Link to comment
Share on other sites

  • Administrators

After carrying out investigation on this, the malicious shortcuts should now be well detected and cleaned.

Link to comment
Share on other sites

  • Most Valued Members
10 hours ago, Marcos said:

After carrying out investigation on this, the malicious shortcuts should now be well detected and cleaned.

Also the shortcut leads to JS script that isn't being detected by anything in VT.

Link to comment
Share on other sites

  • Administrators
13 minutes ago, Nightowl said:

Also the shortcut leads to JS script that isn't being detected by anything in VT.

I assume the script itself is encrypted, hence it cannot be detected. You can upload it here if you have it.

Link to comment
Share on other sites

  • Most Valued Members
5 minutes ago, Marcos said:

I assume the script itself is encrypted, hence it cannot be detected. You can upload it here if you have it.

I am sorry but unfortunately I don't have it , but @Vince should , it got uploaded to VT

and probably he manually quarantined it to ESET.

Link to comment
Share on other sites

  • Administrators

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected:
updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

Link to comment
Share on other sites

  • Most Valued Members
4 minutes ago, Marcos said:

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected:
updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

I understand , thank you Marcos.

Link to comment
Share on other sites

My computer is screwed from this! I can't open ESET or Windows Defender, the Start Bar has stopped working in Safe Mode and signing in normally resulting in black desktop with a flashing Taskbar as I've described.

 

Link to comment
Share on other sites

  • Administrators
3 minutes ago, sadbhai said:

My computer is screwed from this! I can't open ESET or Windows Defender, the Start Bar has stopped working in Safe Mode and signing in normally resulting in black desktop with a flashing Taskbar as I've described.

This must be a different issue not related to what has been discussed in this topic. Please create a new topic and provide ELC logs for a start. If possible, use ESET SysRescue to boot to a clean system and run a scan of your disks.

Link to comment
Share on other sites

5 hours ago, Nightowl said:

Also the shortcut leads to JS script that isn't being detected by anything in VT.

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script.

Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

 

Link to comment
Share on other sites

  • Most Valued Members
1 minute ago, itman said:

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script.

Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

 

I understand , thank you ITman

Link to comment
Share on other sites

  • Most Valued Members
6 minutes ago, itman said:

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script.

Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

 

I believe you are mistaken , both files from my post and this file are identical , yet they were in different locations.

It is the same : https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection

It's just missing it's .ext

Edited by Nightowl
Link to comment
Share on other sites

  • Administrators

 

7 minutes ago, itman said:

Hence why no one on VT detects the initiator script.

The script is malicious and has been detected by ESET since Feb. As of the last update it's also detected without an extension ;)

Link to comment
Share on other sites

One thing I want to establish is if everyone affected by this malware was running Win 7?

I am still trying to figure out how the payload script got dropped to the C:\root directory in Win 10.

Link to comment
Share on other sites

5 hours ago, Marcos said:

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected:
updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

I can confirm that ESET now detects this!
Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse.

So if I would install this (cracked) software again, ESET would now block the installation!?

Good job.

Link to comment
Share on other sites

  • Most Valued Members
2 minutes ago, Namoh said:

I can confirm that ESET now detects this!
Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse.

So if I would install this (cracked) software again, ESET would now block the installation!?

Good job.

It's a fake cracked software , usually cracked software crack/bypass the activation/protection methods and usually requires the user to block connection of the software so it doesn't communicate with anything

A crack that is trying to get data from a server / report data to a server is a fake crack which is a TROJAN

Yet some cracking methods do require emulation of an activation server so it could get a reply from it , but this can be done local.

Edited by Nightowl
Link to comment
Share on other sites

6 minutes ago, Nightowl said:

I believe you are mistaken , both files from my post and this file are identical , yet they were in different locations.

The malware uses multiple different scripts all named with the same prefix but created in different locations.

Link to comment
Share on other sites

  • Most Valued Members

Yea probably most of them are getting it from fake torrent or fake DL that pretends to be a cracked version of ADOBE or some kind of another software.

Link to comment
Share on other sites

9 minutes ago, Namoh said:

So if I would install this (cracked) software again, ESET would now block the installation!?

Assume the malware author has already modified this second JavaScript variant; just like did for the original, to avoid signature detection.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members
11 minutes ago, Namoh said:

I can confirm that ESET now detects this!
Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse.

So if I would install this (cracked) software again, ESET would now block the installation!?

Good job.

And most probably using a fake crack/torrent that it's purpose is to infect.

Link to comment
Share on other sites

  • Most Valued Members

Crack/hacktools/keygens and etc are all detected as HACKTOOL by ESET , as if UNSAFE apps detection isn't enabled then ESET won't touch them , or warn about them , because they are not malicious to the user.

 

Link to comment
Share on other sites

27 minutes ago, Marcos said:

The script is malicious and has been detected by ESET since Feb. As of the last update it's also detected without an extension ;)

I really don't what you're referring to.

When the original JavaScript variant appeared the end of Feb., the only AV's detecting it were Emsisoft and BitDefender. Plus, they were generic detections: https://metadefender.opswat.com/results/file/bzIwMDIyOVNKV25RQVNQTkxIeWYzbVJIUEVM/regular/multiscan?lang=en . Kaspersky gave it a suspicious detection.

Edited by itman
Link to comment
Share on other sites

  • Administrators
12 minutes ago, itman said:

I really don't what you're referring to.

This is something different which is detected by ESET as JS/Agent.AG. I was referring to the samples above, such as "updatewins". The detection was added in Feb. As Namoh wrote: "Just scanned my pc and it came up with: LNK/Agent.JK trojan horse and with JS/Kryptik.BPU trojan horse. "

https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...