PUA.JS.Revizer.AA

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not have any information-stealing capability.

It connects to certain websites to send and receive information.

Arrival Details

This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Propagation

This Potentially Unwanted Application does not have any propagation routine.

Backdoor Routine

This Potentially Unwanted Application does not have any backdoor routine.

Rootkit Capabilities

This Potentially Unwanted Application does not have rootkit capabilities.

Information Theft

This Potentially Unwanted Application does not have any information-stealing capability.

Other Details

This Potentially Unwanted Application connects to the following website to send and receive information:

• During launch:
  • (http or https)://{BLOCKED}ch.biz/metric/?mid=&wid=52096={1 or blank}&tid=7854&rid=LAUNCHED&t={time in milliseconds}
• After the script is loaded:
  • If a script element of the current URL contains "1eaefda9f709934a5d{any characters}.js" in its URL source path:
    • (http or https)://{BLOCKED}ch.biz/metric/?mid=&wid=52096={1 or blank}&tid=7854&rid=LOADED&custom1={current hostname}&custom2={first 50 characters of current URL's pathname}&custom3={domain name the script element}&t={time in milliseconds}
  • Else:
    • (http or https)://{BLOCKED}ch.biz/metric/?mid=&wid=52096={1 or blank}&tid=7854&rid=LOADED&custom1={current hostname}&custom2={first 50 characters of current URL's pathname}&t={time in milliseconds}
• If current URL's hostname equal to "{BLOCKED}ysambadresult.in":
  • (http or https)://{BLOCKED}ch.biz/metric/?mid=&wid=52096={1 or blank}&tid=7854&rid=URL_BLACKLISTED&custom1={current hostname}&t={time in milliseconds}
• If current URL ends with the following strings:
  • jpg
  • png
  • jpeg
  • gif
  • bmp
  • pdf
  • xls
  • js
  • xml
  • doc
  • docs
  • txt
  • css
  • It sends information to the following website(s):
    • (http or https)://{BLOCKED}ch.biz/metric/?mid=&wid=52096={1 or blank}&tid=7854&rid=URL_STATICFILE&t={time in milliseconds}
• If current URL's hostname contains any of following strings:
  • paypal.com
  • secure.
  • .gov
  • doubleclick.net
  • addthis.com
  • twitter.com
  • docs.google.com
  • drive.google.com
  • analytics.google.com
  • notifications.google.com
  • It avoids them and sends information to the following website(s):
    • (http or https)://{BLOCKED}ch.biz/metric/?mid=&wid=52096={1 or blank}&tid=7854&rid=URL_IGNOREDOMAIN&t={time in milliseconds}
• If current URL's "link" element equal to "chrome-webstore-item":
  • (http or https)://{BLOCKED}ch.biz/metric/?mid=&wid=52096={1 or blank}&tid=7854&rid=PROMO_ANLZ&custom1={current hostname}&custom2={current URL}&custom3={chrome-website-item link URL}&t={time in milliseconds}
• If an error occured:
  • (http or https)://{BLOCKED}ch.biz/log/?l=error&m={"undefined" or "!empty message!"}|{error message}&t={time in milliseconds}
• If execution is completed without errors:
  • (http or https)://{BLOCKED}ch.biz/metric/?mid=&wid=52096={1 or blank}&tid=7854&rid=FINISHED&custom1={current hostname}&t={time in milliseconds}

It does the following:

• Avoids execution in the following domains that contains the following strings:
  • dostup-{any combination of letters}.com
  • freevideodownloader
  • musvk
  • {BLOCKED}ne.xyz
  • {BLOCKED}ock.com
  • {BLOCKED}amedia.tech

It does not exploit any vulnerability.