Analizzato da: Patrick Noel Collado   
 Modificato da: : Bren Matthew Ebriega
 

JS:Adware.Lnkr.A (BITDEFENDER)

 Piattaforma:

Windows

 Valutazione del rischio complessivo:
 Potenziale dannoso: :
 Potenziale di distribuzione: :
 Reported Infection:
 Informazioni esposizione: :
Basso
Medio
Alto
Critico

  • Tipo di minaccia informatica:
    Adware

  • Distruttivo?:
    No

  • Crittografato?:
    No

  • In the wild::

  Panoramica e descrizione

Canale infezione: Descargado de Internet, Eliminado por otro tipo de malware

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Supervisa las transacciones de usuario en determinados sitios.

Se conecta a determinados sitios Web para enviar y recibir información.

  Dettagli tecnici

Dimensione file: 111,610 bytes
Tipo di file: JS
Residente in memoria: No
Data di ricezione campioni iniziali: 04 settembre 2020
Carica distruttiva: Connects to URLs/IPs, Others, Steals information

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Robo de información

Supervisa las transacciones de usuario realizadas en los siguientes sitios Web:

  • amazon.com
  • amazon.com.mx
  • amazon.cn
  • amazon.co.jp
  • youradexchange.com
  • websites containing boobking. , booing. , buking. , boocking. , boooking. , bookking. and booing.

Otros detalles

Se conecta al sitio Web siguiente para enviar y recibir información:

  • During launch:
    • if http:
      • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid=&tid=8803&rid=LAUNCHED&t={time in milliseconds}
    • if https:
      • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid=&tid=8803&rid=LAUNCHED&t={time in milliseconds}
  • After the script is loaded:
    • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=LOADED&custom1={current hostname}&t={time in milliseconds}
    • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=LOADED&custom1={current hostname}&t={time in milliseconds}
  • Before sending request:
    • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=LOADED&custom1={current hostname}&t={time in milliseconds}
    • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=LOADED&custom1={current hostname}&t={time in milliseconds}
  • Request sending:
    • http://{BLOCKED}src.net/optout/get?jsonp=__mtz_cb_{random number from 0 to 1000000000}&key=2263eddcb82daefb7&t={time in milliseconds}
  • If response is fail:
    • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=OPTOUT_RESPONSE_FAIL&t={time in milliseconds}
    • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=OPTOUT_RESPONSE_FAIL&t={time in milliseconds}
  • If response is success:
    • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=OPTOUT_RESPONSE_OK&t={time in milliseconds}
    • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=OPTOUT_RESPONSE_OK&t={time in milliseconds}
  • After script execution:
    • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=FINISHED&custom1={current hostname}&t={time in milliseconds}
    • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=FINISHED&custom1={current hostname}&t={time in milliseconds}
  • If response is fail:
    • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=OPTOUT_RESPONSE_FAIL&t={time in milliseconds}
    • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=OPTOUT_RESPONSE_FAIL&t={time in milliseconds}
  • Request sending:
    • http://{BLOCKED}src.net/optout/get?jsonp=__mtz_cb_{random number from 0 to 1000000000}&key=2263eddcb82daefb7&t={time in milliseconds}

Hace lo siguiente:

  • Avoids execution in the following domains that contains the following strings:
    • musvk
    • vkonline.xyz
    • vkunblock.com
    • dostup-{any combination of letters}.com
    • freevideodownloader
    • thisadsfor.us
    • olam-hamedia.tech
    • ok.ru
    • google
    • www.google
  • Avoids the following domains:
    • paypal.com
    • secure.
    • .gov
    • doubleclick.net
    • addthis.com
    • twitter.com
    • docs.google.com
    • drive.google.com
    • analytics.google.com
    • notifications.google.com
  • and sends information to the following website(s):
    • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=URL_IGNOREDOMAIN&t={time in milliseconds}
    • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=URL_IGNOREDOMAIN&t={time in milliseconds}
  • Monitors the following elements of a website:
    • If "link" is "chrome-webstore-item":
      • Send information to:
        • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1orblank}&tid=8803&rid=PROMO_ANLZ&custom1={currenthostname}&custom2={currentURL}&custom3={chrome webstore item link URL}&t={time inmilliseconds}
        • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1orblank}&tid=8803&rid=PROMO_ANLZ&custom1={currenthostname}&custom2={currentURL}&custom3={chrome webstore item link URL}&t={time inmilliseconds}
    • If element "div.g" contains the following strings:
      • chrome.google.com/webstore
      • Speed Dial
      • New tab
      • start tab
      • start page
      • new page
      • home page
      • default page
      • fast dial
      • fast access
      • quick access
    • and if "a:not(.cws)" is found:
      • http://{BLOCKED}src.net/metric/?mid=1f608&wid=51807&sid={1orblank}&tid=8803&rid=BANNER_LOAD&t={time in milliseconds}
      • https://{BLOCKED}src.net/metric/?mid=1f608&wid=51807&sid={1orblank}&tid=8803&rid=BANNER_LOAD&t={time in milliseconds}
    • and Cookie "__mzglrl" is created
  • If url contains lotterysambadresult.in, it sends information to the following website:
    • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=URL_BLACKLISTED&custom1={current hostname}&t={time in milliseconds}
    • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=URL_BLACKLISTED&custom1={current hostname}&t={time in milliseconds}
  • Checks if current URL ends with the following strings:
    • jpg
    • png
    • jpeg
    • gif
    • bmp
    • doc
    • pdf
    • xls
    • js
    • xml
    • doc
    • docs
    • txt
    • css
  • then sends information to the following website(s):
    • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=URL_STATICFILE&t={time in milliseconds}
    • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=URL_STATICFILE&t={time in milliseconds}
  • If the amazon websites are accessed:
    • if "/s/" and "/gp/search/" are found in the URL:
    • get "data-asin" of items
    • get search filters
    • send information regarding the search query to:
      • http://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=AMZN_SEARCH&custom1={current hostname}&custom2={search keywords}&custom3={data-asin of items}&custom4={result count}&custom5={dropdownbox text}&t={time in milliseconds}
      • https://{BLOCKED}src.net/metric/?mid=&wid=51807&sid={1 or blank}&tid=8803&rid=AMZN_SEARCH&custom1={current hostname}&custom2={search keywords}&custom3={data-asin of items}&custom4={result count}&custom5={dropdownbox text}&t={time in milliseconds}
  • If youradexchange.com is accessed and if "a/display." string is found in the URL:
    • Redirects to http://www.{BLOCKED}exchange.com/a/display.php?r=391769&sub1=pr{parameters}
  • If websites with strings "boobking. , booing. , buking. , boocking. , boooking. , bookking. or booing." are accessed:
    • Redirects to http://{BLOCKED}s.me/get?key=6ae9f4bd1dc812dc713d61cba871d8e8&out=http%3A%2F%2Fbooking.com&ref=http%3A%2F%2Fgo.com&format=go&uid=rdr51807
  • Checks if current hostname contains search engine strings:
    • google.
    • search.yahoo.
    • bing.com
    • ask.com
    • shopping.yahoo
    • search.aol.
    • wow.com
    • when.com
    • search.mywebsearch.com
    • search.myway.com
    • duckduckgo.com
    • mysearch.com
    • teoma.com
    • searchlock.com
    • myprivatesearch.com
    • searchprivacy.co
    • thesmartsearch.net
    • infospace
    • safefinder.com
    • mysearchguardian.com

  Soluzioni

Motore di scansione minimo: 9.850
File di pattern SSAPI: 2.332.28
Data di pubblicazione del pattern SSAPI: 10 settembre 2020

Step 2

Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como Adware.JS.REVIZER.AM En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.


Sondaggio