itman

Message To Fabian - Urgent

Recommended Posts

I was just on the bleepingcompter.com forum, in the ransonware section, and received the following alert from Eset: 

 

5/10/2016 11:07:48 AM Real-time file system protection file C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1ARTGYTD\cerber-ransomware-support-and-help-topic-decrypt-my-files-htmltxtvbs[1].htm 

 

Win32/Filecoder.Cerber trojan cleaned by deleting xxx-PC\xxx Event occurred during an attempt to access the file by the application: C:\Program Files\Internet Explorer\iexplore.exe (E55B59E3E9530C5E6947C46F937F6BA88DD2EB19). 38986DCBD14EF6F7D9859270223AC4FB950208E2 - hash value

 

This might be a FP from Eset but doubt it since it was detected by hash.

 

I don't have a bleepingcomputer.com logon. Hence posting here so you can inform them to check out their web site.

Share this post


Link to post
Share on other sites

It looks to me like this detection was triggered because of some malicious code posted in the Cerber Ransomware thread. Nothing unsual, nor new. Many Antivirus products will give a warning when they detect malicious JavaScript (for instance) on a webpage, even if that code is copy/pasted and not actually used on the page.

Did you get that warning when browsing the Ransomware section, or were you in the Cerber Ransomware thread directly?

Share this post


Link to post
Share on other sites

It looks to me like this detection was triggered because of some malicious code posted in the Cerber Ransomware thread. Nothing unsual, nor new. Many Antivirus products will give a warning when they detect malicious JavaScript (for instance) on a webpage, even if that code is copy/pasted and not actually used on the page.

Did you get that warning when browsing the Ransomware section, or were you in the Cerber Ransomware thread directly?

Thinking about the incident a bit more, I agree with you. Appears someone probably copied in the .vbs script code Cerber uses in a posting.

 

It was triggered from a posting in the Cerber Ransomware section; can't recall the specific one though.

 

I suggest you re-read the board rules again that you accepted when you joined. Most importantly:

 

Bleeping Computer is none of our sites. So I am not sure what you expect me to do here. It's not uncommon that scanning engines who don't perform a proper emulation of HTML and JavaScript to get confused by code that is contained within an HTML document, but not executed. So if someone posts the content of a ransomnote or of a script they found on their system, it will trigger an alert by the AV even though the script code would never be executed.

My apologies. Thought it was perhaps a web site inflection and you could contact them to check it out since you work closely with Bleepingcomputer in the ransomware area.

Share this post


Link to post
Share on other sites

Thinking about the incident a bit more, I agree with you. Appears someone probably copied in the .vbs script code Cerber uses in a posting.

It happened back then in another Ransomware thread on BleepingComputer. Someone had copy/pasted the JS code used by a Ransomware, and avast! was flagging the page as malicious and blocking access to it. Disabling the Web Protection module stopped that behavior, so it's as Fabian said:

It's not uncommon that scanning engines who don't perform a proper emulation of HTML and JavaScript to get confused by code that is contained within an HTML document, but not executed. So if someone posts the content of a ransomnote or of a script they found on their system, it will trigger an alert by the AV even though the script code would never be executed.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.