Author: Paul Steven Nadera   
 

JS:Adware.Lnkr.A (Bitdefender); Adware:JS/InjectorAd.A (Microsoft); JS/Adware.Revizer.B application] (NOD32)

 PLATFORM:

Windows

 OVER ALL RISK RATING:
 DAMAGE POTENTIAL::
 DISTRIBUTION POTENTIAL::
 REPORTED INFECTION:
 INFORMATION EXPOSURE:
Low
Medium
High
Critical

  • Threat Type:
    Adware

  • Destructiveness:
    No

  • Encrypted:
    No

  • In the wild::
    Yes

  OVERVIEW

INFECTION CHANNEL: Descargado de Internet, Eliminado por otro tipo de malware

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Supervisa las transacciones de usuario en determinados sitios.

Se conecta a determinados sitios Web para enviar y recibir información.

  TECHNICAL DETAILS

File size: 215,788 bytes
File type: JS
Memory resident: No
INITIAL SAMPLES RECEIVED DATE: 02 de июня de 2020
PAYLOAD: Connects to URLs/IPs

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Robo de información

Supervisa las transacciones de usuario realizadas en los siguientes sitios Web:

  • amazon.com
  • amazon.com.mx
  • amazon.cn
  • amazon.co.jp
  • youradexchange.com
  • websites containing boobking. , booing. , buking. , boocking. , boooking. , bookking. and booing.
  • bitconnect.co/register

Otros detalles

Se conecta al sitio Web siguiente para enviar y recibir información:

  • During launch:
    • if http:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid=&tid=5851&rid=LAUNCHED&t={time in milliseconds}
    • if https:
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid=&tid=5851&rid=LAUNCHED&t={time in milliseconds}
  • After the script is loaded:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=LOADED&custom1={current hostname}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=LOADED&custom1={current hostname}&t={time in milliseconds}
  • Before sending request:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=BEFORE_OPTOUT_REQ&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=BEFORE_OPTOUT_REQ&t={time in milliseconds}
  • Request sending:
    • http://{BLOCKED}tcs.space/optout/get?jsonp=__twb_cb_{random number from 0 to 1000000000}&key=16dbc8c14acdb8703b&t={time in milliseconds}
  • If response is fail:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=OPTOUT_RESPONSE_FAIL&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=OPTOUT_RESPONSE_FAIL&t={time in milliseconds}
  • If response is success:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=OPTOUT_RESPONSE_OK&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=OPTOUT_RESPONSE_OK&t={time in milliseconds}
  • After script execution:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=FINISHED&custom1={current hostname}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=FINISHED&custom1={current hostname}&t={time in milliseconds}

Hace lo siguiente:

  • Avoids execution in the following domains that contains the following strings:
    • musvk
    • vkonline.xyz
    • vkunblock.com
    • dostup-{any combination of letters}.com
    • freevideodownloader
    • thisadsfor.us
    • olam-hamedia.tech
    • ok.ru
    • google
    • www.google
  • Avoids the following domains:
    • paypal.com
    • secure.
    • doubleclick.net
    • addthis.com
    • twitter.com
    • docs.google.com
    • drive.google.com
    and sends information to the following website(s):
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=URL_IGNOREDOMAIN&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=URL_IGNOREDOMAIN&t={time in milliseconds}
  • Monitors the following elements of a website:
    • If "link" is "chrome-webstore-item":
    • Send information to
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=PROMO_ANLZ&custom1={current hostname}&custom2={current URL}&custom3={chrome webstore item link URL}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=PROMO_ANLZ&custom1={current hostname}&custom2={current URL}&custom3={chrome webstore item link URL}&t={time in milliseconds}
    • If element "div.g" contains the following strings:
    • chrome.google.com/webstore
    • Speed Dial
    • New tab
    • start tab
    • start page
    • new page
    • home page
    • default page
    • fast dial
    • fast access
    • quick access
    • and if "a:not(.cws)" is found:
    • send information to
    • http://{BLOCKED}tcs.space/metric/?mid=1f608&wid=51824&sid={1 or blank}&tid=5851&rid=BANNER_LOAD&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=1f608&wid=51824&sid={1 or blank}&tid=5851&rid=BANNER_LOAD&t={time in milliseconds}
    • and Cookie "__mzglrl" is created
  • Checks if current hostname contains search engine strings:
    • google.
    • search.yahoo.
    • bing.com
    • ask.com
    • shopping.yahoo
    • search.aol.
    • wow.com
    • when.com
    • search.mywebsearch.com
    • search.myway.com
    • duckduckgo.com
    • mysearch.com
    • teoma.com
    • searchlock.com
    • myprivatesearch.com
    • searchprivacy.co
    • thesmartsearch.net
    • infospace
    • safefinder.com
    • mysearchguardian.com
  • Checks if current URL ends with the following strings:
    • jpg
    • png
    • jpeg
    • gif
    • bmp
    • doc
    • pdf
    • xls
    • js
    • xml
    • doc
    • docs
    • txt
    • css
    then sends information to the following website(s):
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=URL_STATICFILE&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=URL_STATICFILE&t={time in milliseconds}
  • If the amazon websites are accessed:
    • if "/s/" and "/gp/search/" are found in the URL:
    • get "data-asin" of items
    • get search filters
    • send information regarding the search query to:
    • http://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=AMZN_SEARCH&custom1={current hostname}&custom2={search keywords}&custom3={data-asin of items}&custom4={result count}&custom5={dropdownbox text}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=&wid=51824&sid={1 or blank}&tid=5851&rid=AMZN_SEARCH&custom1={current hostname}&custom2={search keywords}&custom3={data-asin of items}&custom4={result count}&custom5={dropdownbox text}&t={time in milliseconds}
  • If youradexchange.com is accessed and if "a/display." string is found in the URL:
    • Redirects to http://www.{BLOCKED}exchange.com/a/display.php?r=391769&sub1=pr{parameters}
  • If websites with strings "boobking. , booing. , buking. , boocking. , boooking. , bookking. or booing." are accessed:
    • Redirects to http://{BLOCKED}s.me/get?key=6ae9f4bd1dc812dc713d61cba871d8e8&out=http%3A%2F%2Fbooking.com&ref=http%3A%2F%2Fgo.com&format=go&uid=rdr51824
  • If bitconnect.co/register is accessed:
    • Sends information to the following website(s):
    • http://{BLOCKED}tcs.space/metric/?mid=62001&wid=51824&sid={1 or blank}&tid=5851&rid=BANNER_LOAD&custom1={sponsor from site}&custom2={random number from 100000 to 9999999}&t={time in milliseconds}
    • https://{BLOCKED}tcs.space/metric/?mid=62001&wid=51824&sid={1 or blank}&tid=5851&rid=BANNER_LOAD&custom1={sponsor from site}&custom2={random number from 100000 to 9999999}&t={time in milliseconds}
  • If youradexchange.com is accessed and if "a/display." string is found in the URL:
    • Redirects to http://www.{BLOCKED}exchange.com/a/display.php?r=391769&sub1=pr{parameters}

  SOLUTION

Minimum scan engine: 9.850
SSAPI Pattern-Datei: 2.298.00
SSAPI Pattern veröffentlicht am: 04 de июня de 2020

Step 1

Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como Adware.JS.Revizer.AK En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.


Did this description help? Tell us how we did.