Jump to content

malicious script "microsoft-com.ddns.net"


Recommended Posts

this virus is a windows script that replicates itself unto infected system and found in school computers, and replicates it self through USB flash drives

it affects registry and seem to 

all antivirus software does not detect it.

i have uploaded it to avira website and your website for further inspection.

 

google ""microsoft-com.ddns.net" for further info, as that URL is concatenated in the attached js script

 

best regards nad keep up the good works

%System%.rar

Edited by Bakr
Link to post
Share on other sites

It's vjw0rm.

var UblbbtkujpxMaxwPhuKVpHdLxQZTtemkyVLYIaKCNzffZrmRHiIikfnuDaNBDYlrMWeIrN = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];

 

Link to post
Share on other sites

As soon as a Researcher checks your thread. Can you tell us where you found that file exactly? Also, can you run FRST on a computer infected with this malware and provide us the log? It'll help when creating the definitions.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.

  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • Make sure the Addition.txt box is checked
  • Click on the Scan button
    KSJwAxg.png
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply


 
Link to post
Share on other sites

that worm was reported to my by a neighbor friend in UAE, apparently he got it from school computers through USB flash drive transmission.

it copies it self into c:\programdata\%system%.js

whereby if you try to delete it via command line, you cannot ..

i even tried using:

del c:\programdata\%%system%%.js

it was returning file not found.


Attached are the two files

Addition.txt

FRST.txt

Link to post
Share on other sites

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

fixlist.txt

Link to post
Share on other sites

keep in mind that in the log file you will see::

 

"C:\ProgramData\%System%.js" => not found

that is because earlier i have adviced the friend to delete manually that file, based on my basic checking of the odd startup apps on his machine.

 

Link to post
Share on other sites

indeed it did not come back.

he points that when he insert a usb flash into a computer that is infected, then all the folders on that USB will become hidden, and a shortcut for them created, in addition to see the "%system%.js" copied to the root folder of the flash....

apparently it is using this method to spread around.

anyhow, i hope that i have contributed to make aware of that suspicious script.

you may sandbox it, and make it on the startup of windows, and do you snapshopts of before / after - to idnetify deeper how it affect the system, and try inserting a usb-flash drive which has some random folder structure into the sandboxed infected machine and watch for its behavior yourself.

keep up the good works.

Mustafa

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.