TaylorSystems

New Infections AUTOMATICALLY in User Download Folders???

Recommended Posts

There is an ODD incident that has now occurred on a few DIFFERENT client computers (different networks and computers in different states).

I have had clients report an Error/Malware message on their systems and when I have remotely connected, I have found that THEIR DOWNLOAD folders have ALL had a NEW file just downloaded into them.

The files, thus far, ALL have the format of an apparently random GUID with the .TMP extension.  Here is ONE example:

Scanner detected malware in C:\Users\Victo\Downloads\8738deae-a3fc-49cf-b768-8214fcb3c0d9.tmp -> (INFECTED_JS)

Scanner detected malware in C:\Users\Victo\Downloads\8738deae-a3fc-49cf-b768-8214fcb3c0d9.tmp -> (INFECTED_JS)
 

Here is a list of files discovered, so far:
8738deae-a3fc-49cf-b768-8214fcb3c0d9.tmp
1f503270-e61e-47fd-a5ff-0af765775ff8.tmp
b10354ed-45e1-4796-b1df-fd5e626a422a.tmp
a61807ca-2a89-4905-8134-f4214bb2b726.tmp
3fb4aa8e-23e6-40ca-a12c-089477b59c6f.tmp

Each user has told me that they were just browsing the Internet and I am thinking it may be a possible 'Drive-By' download attack from a malicious Ad or Website page.  There 'may' have been a browser redirect involved, but the users were not clear, but one of their histories does indicate a possible redirect to a questionable accessblocked404-411.azurewebsites.net web page.

My concern is that although EMSISoft FileGuard appears to have detected the malicious file, it had ALREADY been SUCCESSFULLY downloaded into the user's 'Download' folder.

I am wondering if anyone else has encountered this type of incident???  I am trying to get ahead of this before other client computers get hit!!!

Thanks.

 

-Larry-

 

Share this post


Link to post
Share on other sites

Most browsers automatically save all downloads into the "Downloads" folder, and all a malicious website has to do is trick a user into clicking a link to initiate a download. Some scripts are also able to initiate downloads without user interaction.

 

10 hours ago, TaylorSystems said:

My concern is that although EMSISoft FileGuard appears to have detected the malicious file, it had ALREADY been SUCCESSFULLY downloaded into the user's 'Download' folder.

If the users were browsing with Firefox then this is normal, since it doesn't implement IOfficeAntiVirus or AMSI. Google Chrome implements IOfficeAntiVirus, and most Microsoft applications implement one of those API's as well (including their browsers). They allow an application to request an Anti-Virus software scan a file, so the File Guard (if it was on) would have scanned any files for a browser that implements one of these API's before it was saved.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.