Jump to content
mandrix

ESET I.S. Agressively blocking URL, can't find app

Recommended Posts

9 hours ago, Vince said:

no more popups alert for me with HIPS rules, or without HIPS rules.

After a Deep Scan  :

2121482963_esetbittorent.thumb.jpg.c63e2fd15c11f58bfa8089034f698ac9.jpg

Most likely it was gone when you have manually quarantined the malicious javascript file

The detection of bitTorrent has nothing to do with it , switch to Deluge/qBittorent if you want a better client.

Share this post


Link to post
Share on other sites

After carrying out investigation on this, the malicious shortcuts should now be well detected and cleaned.

Share this post


Link to post
Share on other sites
10 hours ago, Marcos said:

After carrying out investigation on this, the malicious shortcuts should now be well detected and cleaned.

Also the shortcut leads to JS script that isn't being detected by anything in VT.

Share this post


Link to post
Share on other sites
13 minutes ago, Nightowl said:

Also the shortcut leads to JS script that isn't being detected by anything in VT.

I assume the script itself is encrypted, hence it cannot be detected. You can upload it here if you have it.

Share this post


Link to post
Share on other sites
5 minutes ago, Marcos said:

I assume the script itself is encrypted, hence it cannot be detected. You can upload it here if you have it.

I am sorry but unfortunately I don't have it , but @Vince should , it got uploaded to VT

and probably he manually quarantined it to ESET.

Share this post


Link to post
Share on other sites

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected:
updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

Share this post


Link to post
Share on other sites
4 minutes ago, Marcos said:

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected:
updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

I understand , thank you Marcos.

Share this post


Link to post
Share on other sites

My computer is screwed from this! I can't open ESET or Windows Defender, the Start Bar has stopped working in Safe Mode and signing in normally resulting in black desktop with a flashing Taskbar as I've described.

 

Share this post


Link to post
Share on other sites
3 minutes ago, sadbhai said:

My computer is screwed from this! I can't open ESET or Windows Defender, the Start Bar has stopped working in Safe Mode and signing in normally resulting in black desktop with a flashing Taskbar as I've described.

This must be a different issue not related to what has been discussed in this topic. Please create a new topic and provide ELC logs for a start. If possible, use ESET SysRescue to boot to a clean system and run a scan of your disks.

Share this post


Link to post
Share on other sites
5 hours ago, Nightowl said:

Also the shortcut leads to JS script that isn't being detected by anything in VT.

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script.

Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

 

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script.

Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

 

I understand , thank you ITman

Share this post


Link to post
Share on other sites
Posted (edited)
6 minutes ago, itman said:

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script.

Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

 

I believe you are mistaken , both files from my post and this file are identical , yet they were in different locations.

It is the same : https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection

It's just missing it's .ext

Edited by Nightowl

Share this post


Link to post
Share on other sites

 

7 minutes ago, itman said:

Hence why no one on VT detects the initiator script.

The script is malicious and has been detected by ESET since Feb. As of the last update it's also detected without an extension ;)

Share this post


Link to post
Share on other sites

They are the same probably

js2.png

js.png

Share this post


Link to post
Share on other sites

One thing I want to establish is if everyone affected by this malware was running Win 7?

I am still trying to figure out how the payload script got dropped to the C:\root directory in Win 10.

Share this post


Link to post
Share on other sites
5 hours ago, Marcos said:

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected:
updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

I can confirm that ESET now detects this!
Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse.

So if I would install this (cracked) software again, ESET would now block the installation!?

Good job.

Share this post


Link to post
Share on other sites
Posted (edited)
2 minutes ago, Namoh said:

I can confirm that ESET now detects this!
Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse.

So if I would install this (cracked) software again, ESET would now block the installation!?

Good job.

It's a fake cracked software , usually cracked software crack/bypass the activation/protection methods and usually requires the user to block connection of the software so it doesn't communicate with anything

A crack that is trying to get data from a server / report data to a server is a fake crack which is a TROJAN

Yet some cracking methods do require emulation of an activation server so it could get a reply from it , but this can be done local.

Edited by Nightowl

Share this post


Link to post
Share on other sites
6 minutes ago, Nightowl said:

I believe you are mistaken , both files from my post and this file are identical , yet they were in different locations.

The malware uses multiple different scripts all named with the same prefix but created in different locations.

Share this post


Link to post
Share on other sites

Yea probably most of them are getting it from fake torrent or fake DL that pretends to be a cracked version of ADOBE or some kind of another software.

Share this post


Link to post
Share on other sites
Posted (edited)
9 minutes ago, Namoh said:

So if I would install this (cracked) software again, ESET would now block the installation!?

Assume the malware author has already modified this second JavaScript variant; just like did for the original, to avoid signature detection.

Edited by itman

Share this post


Link to post
Share on other sites
11 minutes ago, Namoh said:

I can confirm that ESET now detects this!
Just scanned my pc and it came up with: Agent.JK trojan horse and with JK/Kryptik.BPU trojan horse.

So if I would install this (cracked) software again, ESET would now block the installation!?

Good job.

And most probably using a fake crack/torrent that it's purpose is to infect.

Share this post


Link to post
Share on other sites

Crack/hacktools/keygens and etc are all detected as HACKTOOL by ESET , as if UNSAFE apps detection isn't enabled then ESET won't touch them , or warn about them , because they are not malicious to the user.

 

Share this post


Link to post
Share on other sites
Posted (edited)
27 minutes ago, Marcos said:

The script is malicious and has been detected by ESET since Feb. As of the last update it's also detected without an extension ;)

I really don't what you're referring to.

When the original JavaScript variant appeared the end of Feb., the only AV's detecting it were Emsisoft and BitDefender. Plus, they were generic detections: https://metadefender.opswat.com/results/file/bzIwMDIyOVNKV25RQVNQTkxIeWYzbVJIUEVM/regular/multiscan?lang=en . Kaspersky gave it a suspicious detection.

Edited by itman

Share this post


Link to post
Share on other sites
12 minutes ago, itman said:

I really don't what you're referring to.

This is something different which is detected by ESET as JS/Agent.AG. I was referring to the samples above, such as "updatewins". The detection was added in Feb. As Namoh wrote: "Just scanned my pc and it came up with: LNK/Agent.JK trojan horse and with JS/Kryptik.BPU trojan horse. "

https://www.virustotal.com/gui/file/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5/detection

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...