A forum for reverse engineering, OS internals and malware analysis 

.js malware

Forum for analysis and discussion about malware.

.js malware

 #18738  by TwinHeadedEagle
 Thu Mar 28, 2013 10:29 am
Can't get rid of this malware

It creates random .js file in the following location

C:\Documents and Settings\User\Application Data\random folder\random file.js
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2a3.js

Can you tell me the name of this malware...

Code: Select all
>>> MCShield AllScans.txt <<< 



>>> MCShield ::Anti-Malware Tool:: v 2.5.4.20 / DB: 2013.3.23.1 / NT6.1 <<< 


23/03/2013 19:15:12 > Drive C: - scan started (no label ~298 GB, NTFS HDD )... 



=> The drive is clean. 





>>> MCShield ::Anti-Malware Tool:: v 2.5.4.20 / DB: 2013.3.23.1 / NT6.1 <<< 


24/03/2013 09:48:38 > Drive C: - scan started (no label ~298 GB, NTFS HDD )... 



=> The drive is clean. 





>>> MCShield ::Anti-Malware Tool:: v 2.5.4.20 / DB: 2013.3.23.1 / NT6.1 <<< 


24/03/2013 09:53:58 > Drive E: - scan started (FABRIZIO ~1964 MB, FAT32 flash drive )... 

>>> E:\autorun.inf > Suspicious > Renamed. 

>>> E:\4e4\g5f93.js - Suspicious > Renamed. (MD5: 986b4a6aa172368313e7ff5dd296f8c9) 


=> Suspicious files  : 2/2 renamed. 

____________________________________________ 

::::: Scan duration: 1sec :::::::::::::::::: 
____________________________________________

Re: .js malware

 #18739  by bsteo
 Thu Mar 28, 2013 10:38 am
Maybe you can upload a sample of the malware?

Re: .js malware

 #18740  by Blaze
 Thu Mar 28, 2013 10:40 am
Hi MAXS,

Do you have a copy of the file or the MD5?

Seems like an autorun worm, disable autorun on the machine and USB drive, check if a suspicious process is running, kill it and delete the leftovers.

Re: .js malware

 #18741  by TwinHeadedEagle
 Thu Mar 28, 2013 10:44 am
Problem is that I don't have the sample...but will try to get...

I remove it, but it keeps coming...I don't have clue where it comes from...

Will try to disable USB and to remove it. Will keep you posted...

Re: .js malware

 #18742  by Blaze
 Thu Mar 28, 2013 10:56 am
Post a DDS log with the USB drive still connected. Post only DDS.txt.

Re: .js malware

 #18747  by TwinHeadedEagle
 Thu Mar 28, 2013 5:43 pm
I was unable to get copy...

But I figured out it's behaviour and succesfully get rid of this nastiness...
[2013/03/28 08:10:26 | 000,046,019 | ---- | C] () -- C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b6b.js
Created at 08:10:26
[2013/03/28 08:27:47 | 000,046,019 | ---- | M] () -- C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b6b.js
Modified at 08:27:47 to bcbcb.js

It keeps changing it's name, when you try to delete it, it says file not found :>

I will try to get sample of this malware...
 Return to “Malware”