Jump to content

Trojan Detection Blocks Access to Excel.


Recommended Posts

Hi!, I hope you are doing well.

We have the following alert generated for the path C:\Windows\Temp\q.vbs, attached is an image. The issue now is that the antivirus product (ESET Endpoint Antivirus) appears to block this path because it detects the Trojan, and it does not allow the execution of an Excel file with macros. I have attached an image of the error that appears.

Text in English from excel error:
Script: C:\Windows\Temp\q.vbs

Line: 5

Character: 1

Error: This script contains malicious elements, and the antivirus software has blocked it: 'Send'

Code: 800A802D

Source: Microsoft VBScript Runtime Error

Alert from console..jpg

Excel Error.jpg

Link to comment
Share on other sites

  • Administrators

I've analyzed the script and at the final stage it downloads malware detected by ESET as Win32/Rescoms.B trojan.

Please provide the Excel file with macro in an archive encrypted with the password "infected" to make sure that the macro is detected prior to execution.

Link to comment
Share on other sites

16 minutes ago, Marcos said:

Are you positive that the heavily obfuscated script is legitimate?

My vote is it's malicious since its running PowerShell hidden in bypass mode.

Edited by itman
Link to comment
Share on other sites

Greetings!
Here is the file compresed as you asked.

And regarding itmans question, the computer where this alert was found belongs to a client who has told me that it appears that the Excel being used is cracked, but we do not have further information on this matter.

RENTA 2022.rar

Link to comment
Share on other sites

25 minutes ago, Felipe osorio said:

the computer where this alert was found belongs to a client who has told me that it appears that the Excel being used is cracked

Assumed here is its a cracked version of MS Office. The computer needs to be thoroughly examined since the crack obviously has made system modifications. It goes without saying that the cracked software needs to be removed.

Link to comment
Share on other sites

  • Administrators
8 hours ago, itman said:

I assume the file would still contain vbaproject.bin inside but this was missing in the above xlsx file. I'll pass it to our researchers for a check though.

Link to comment
Share on other sites

  • Most Valued Members

It is indeed a virus and the location of it indicates it more WINDOWS/TEMP , And the file name is more weird ,I doubt some of your colleagues have to work on a file named q.vbs and store in TEMP

Remove that file after you send it to ESET , and inform the place where it came from that they are sending malicious files , and if there is no response / action from their side , block them.

If your client doesn't use macros inside Word or Excel files , its recommended to disable them by default even from trusted locations.

Edited by Nightowl
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...