Analizzato da: Paul Steven Nadera   

 

JS:Adware.Lnkr.A (Bitdefender); Adware:JS/InjectorAd.A (Microsoft); JS/Adware.Revizer.B application] (NOD32)

 Piattaforma:

Windows

 Valutazione del rischio complessivo:
 Potenziale dannoso: :
 Potenziale di distribuzione: :
 Reported Infection:
 Informazioni esposizione: :
Basso
Medio
Alto
Critico

  • Tipo di minaccia informatica:
    Adware

  • Distruttivo?:
    No

  • Crittografato?:
    No

  • In the wild::

  Panoramica e descrizione

Canale infezione: Descargado de Internet, Eliminado por otro tipo de malware

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Supervisa las transacciones de usuario en determinados sitios.

Se conecta a determinados sitios Web para enviar y recibir información.

  Dettagli tecnici

Dimensione file: 215,788 bytes
Tipo di file: JS
Residente in memoria: No
Data di ricezione campioni iniziali: 02 giugno 2020
Carica distruttiva: Connects to URLs/IPs

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Robo de información

Supervisa las transacciones de usuario realizadas en los siguientes sitios Web:

  • amazon.com
  • amazon.com.mx
  • amazon.cn
  • amazon.co.jp
  • youradexchange.com
  • websites containing boobking. , booing. , buking. , boocking. , boooking. , bookking. and booing.
  • bitconnect.co/register

Otros detalles

Se conecta al sitio Web siguiente para enviar y recibir información:

  • During launch:
    • if http:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid=&tid=5851&rid=LAUNCHED&t={time in milliseconds}
    • if https:
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid=&tid=5851&rid=LAUNCHED&t={time in milliseconds}
  • After the script is loaded:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=LOADED&custom1={current hostname}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=LOADED&custom1={current hostname}&t={time in milliseconds}
  • Before sending request:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=BEFORE_OPTOUT_REQ&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=BEFORE_OPTOUT_REQ&t={time in milliseconds}
  • Request sending:
    • http://{BLOCKED}tcs.space/optout/get?jsonp=__twb_cb_{random number from 0 to 1000000000}&key=16dbc8c14acdb8703b&t={time in milliseconds}
  • If response is fail:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=OPTOUT_RESPONSE_FAIL&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=OPTOUT_RESPONSE_FAIL&t={time in milliseconds}
  • If response is success:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=OPTOUT_RESPONSE_OK&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=OPTOUT_RESPONSE_OK&t={time in milliseconds}
  • After script execution:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=FINISHED&custom1={current hostname}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=FINISHED&custom1={current hostname}&t={time in milliseconds}

Hace lo siguiente:

  • Avoids execution in the following domains that contains the following strings:
    • musvk
    • vkonline.xyz
    • vkunblock.com
    • dostup-{any combination of letters}.com
    • freevideodownloader
    • thisadsfor.us
    • olam-hamedia.tech
    • ok.ru
    • google
    • www.google
  • Avoids the following domains:
    • paypal.com
    • secure.
    • doubleclick.net
    • addthis.com
    • twitter.com
    • docs.google.com
    • drive.google.com
    and sends information to the following website(s):
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=URL_IGNOREDOMAIN&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=URL_IGNOREDOMAIN&t={time in milliseconds}
  • Monitors the following elements of a website:
    • If "link" is "chrome-webstore-item":
    • Send information to
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=PROMO_ANLZ&custom1={current hostname}&custom2={current URL}&custom3={chrome webstore item link URL}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=PROMO_ANLZ&custom1={current hostname}&custom2={current URL}&custom3={chrome webstore item link URL}&t={time in milliseconds}
    • If element "div.g" contains the following strings:
    • chrome.google.com/webstore
    • Speed Dial
    • New tab
    • start tab
    • start page
    • new page
    • home page
    • default page
    • fast dial
    • fast access
    • quick access
    • and if "a:not(.cws)" is found:
    • send information to
    • http://{BLOCKED}tcs.space/metric/?mid=1f608&wid=51824&sid={1 or blank}&tid=5851&rid=BANNER_LOAD&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=1f608&wid=51824&sid={1 or blank}&tid=5851&rid=BANNER_LOAD&t={time in milliseconds}
    • and Cookie "__mzglrl" is created
  • Checks if current hostname contains search engine strings:
    • google.
    • search.yahoo.
    • bing.com
    • ask.com
    • shopping.yahoo
    • search.aol.
    • wow.com
    • when.com
    • search.mywebsearch.com
    • search.myway.com
    • duckduckgo.com
    • mysearch.com
    • teoma.com
    • searchlock.com
    • myprivatesearch.com
    • searchprivacy.co
    • thesmartsearch.net
    • infospace
    • safefinder.com
    • mysearchguardian.com
  • Checks if current URL ends with the following strings:
    • jpg
    • png
    • jpeg
    • gif
    • bmp
    • doc
    • pdf
    • xls
    • js
    • xml
    • doc
    • docs
    • txt
    • css
    then sends information to the following website(s):
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=URL_STATICFILE&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=URL_STATICFILE&t={time in milliseconds}
  • If the amazon websites are accessed:
    • if "/s/" and "/gp/search/" are found in the URL:
    • get "data-asin" of items
    • get search filters
    • send information regarding the search query to:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=AMZN_SEARCH&custom1={current hostname}&custom2={search keywords}&custom3={data-asin of items}&custom4={result count}&custom5={dropdownbox text}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=AMZN_SEARCH&custom1={current hostname}&custom2={search keywords}&custom3={data-asin of items}&custom4={result count}&custom5={dropdownbox text}&t={time in milliseconds}
  • If youradexchange.com is accessed and if "a/display." string is found in the URL:
    • Redirects to http://www.{BLOCKED}exchange.com/a/display.php?r=391769&sub1=pr{parameters}
  • If websites with strings "boobking. , booing. , buking. , boocking. , boooking. , bookking. or booing." are accessed:
    • Redirects to http://{BLOCKED}s.me/get?key=6ae9f4bd1dc812dc713d61cba871d8e8&out=http%3A%2F%2Fbooking.com&ref=http%3A%2F%2Fgo.com&format=go&uid=rdr51824
  • If bitconnect.co/register is accessed:
    • Sends information to the following website(s):
    • http://{BLOCKED}tcs.space/metric/?mid=62001&wid=51824&sid={1 or blank}&tid=5851&rid=BANNER_LOAD&custom1={sponsor from site}&custom2={random number from 100000 to 9999999}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=62001&wid=51824&sid={1 or blank}&tid=5851&rid=BANNER_LOAD&custom1={sponsor from site}&custom2={random number from 100000 to 9999999}&t={time in milliseconds}
  • If youradexchange.com is accessed and if "a/display." string is found in the URL:
    • Redirects to http://www.{BLOCKED}exchange.com/a/display.php?r=391769&sub1=pr{parameters}

  Soluzioni

Motore di scansione minimo: 9.850
File di pattern SSAPI: 2.298.00
Data di pubblicazione del pattern SSAPI: 04 giugno 2020

Step 1

Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como Adware.JS.Revizer.AK En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.


Sondaggio