Analysis by: Francis Xavier Antazo
ALIASES:

Worm:JS/Proslikefan (MICROSOFT), JS/Kryptik.APS trojan (NOD32)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via removable drives, Dropped by other malware, Downloaded from the Internet, Propagates via peer-to-peer networks

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: 43,311 bytes
File Type: JS
Memory Resident: No
Initial Samples Received Date: 24 Nov 2013
Payload: Steals information, Terminates processes, Connects to URLs/IPs

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %User Profile%\Local Settings\Application Data\Microsoft\CD Burning\{random file name}.js
  • %Application Data%\{random folder name}\{random file name}.js
  • %Program Files%\{random folder name}\{random file name}.js
  • %User Temp%\{random file name}.js
  • %User Temp%\cracked\cracked.js
  • %User Temp%\{random file name}.zip (compressed malware copy)

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

  • %User Profile%\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

  • %System Root%\{random folder name}
  • %Application Data%\{random folder name}
  • %Program Files%\{random folder name}
  • %User Temp%\cracked\

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name} = "%Application Data%\{random folder name}\{random file name}.js"

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntivirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies
NoDispCPL = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies
DisableCMD = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies
DisableTaskMgr = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies
DisableRegistryTools = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Windows NT\CurrentVersion
SystemRestoreDisableSR = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsft\Internet Explorer\Control Panel
HomePage = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\MRT
DontReportInfectionInformation = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\System Restore
DisableConfig = "1"

HKEY_CURRENT_USER\Microsoft\Windows\
CurrentVersion\Policies\Explorer
NoControlPanel = "1"

HKEY_CURRENT_USER\Microsoft\Windows\
CurrentVersion\Policies\Explorer
"NofolderOptions" = "1"

HKEY_CURRENT_USER\Microsoft\Windows\
CurrentVersion\Policies\Explorer
NoWindowsUpdate = "1"

HKEY_CURRENT_USER\Policies\Microsoft\
Internet Explorer\Control Panel
HomePage = "1"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntivirusDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdateDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntivirusOverride = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
MigrateProxy = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyEnable = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
ParseAutoExec = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

  • %Program Files%\ares\my shared folder
  • %Program Files%\bearshare\shared
  • %Program Files%\edonkey2000\incoming
  • %Program Files%\emule\incoming
  • %Program Files%\grokster\my grokster
  • %Program Files%\icq\shared folder
  • %Program Files%\kazaa lite k++\my shared folder
  • %Program Files%\kazaa lite\my shared folder
  • %Program Files%\kazaa\my shared folder
  • %Program Files%\limewire\shared
  • %Program Files%\morpheus\my shared folder
  • %User Profile%\My Documents\FrostWire\Shared
  • %Program Files%\tesla\files
  • %Program Files%\winmx\shared

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copy of itself in all physical and removable drives:

  • {drive letter}:\{random file name 2}.js

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage characters}
[autorun]
{garbage characters}
shell\open\command={random file name}.js
{garbage characters}
shell\explore\command={random file name}.js
{garbage characters}
shellexecute={random file name}.js
{garbage characters}
open={random file name}.js
{garbage characters}

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • sdasetup
  • rstrui
  • fiddler
  • wuauclt
  • autoruns
  • avast
  • tcpview
  • clean
  • hotfix
  • reged
  • regmon
  • unlocker
  • msconfig
  • minitool
  • filemon
  • procexp
  • rubotted
  • perfmon
  • procmon
  • ptinstall
  • issetup
  • resmon
  • wireshark
  • sysclean
  • unescape
  • mse
  • msss
  • gmer
  • escape
  • housecall
  • avenger
  • hijack
  • mbsa

Information Theft

This worm gathers the following data:

  • CPU
  • OS
  • GPU
  • Cookie data
  • Antivirus software
  • Web browser settings

Stolen Information

This worm sends the gathered information via HTTP POST to the following URL:

  • {BLOCKED}7.net:80/r/
  • {BLOCKED}7.net:80/u/
  • {BLOCKED}7.net:80/k/

Other Details

This worm performs DNS requests to the following sites:

  • www.bcsn.tv
  • www.bcsnfit.com
  • www.cogic.org
  • einvitations.afit.edu
  • crl.disa.mil
  • http.fpki.gov
  • certipath-aia.symauth.com
  • pki.raytheon.com
  • www.telkomsel.com
  • crls.pki.state.gov
  • apps.edintrust.com
  • home.fhpr.osd.mil
  • support.videotron.com
  • iphone.orange.fr
  • www,sonofon.dk
  • www.clarochile.cl
  • portal.clarochile.cl
  • www.nationalguard.mil
  • www.dvidshub.net
  • www.toledoblade.com
  • www.itunes.apple.com
  • www.flickr.com
  • www.flu.gov

NOTES:

This worm drops zip files into folders used in peer-to-peer (P2P) applications. These zip files that contain the compressed copy of this malware use the following names:

  • Acronis True Image 2015 18.0 Build 6525 ITA.zip
  • Adobe Photoshop CC v15.2.1 [2014 ](x64x32)Portable-Multilingual.zip
  • Adobe Photoshop CC v15.2.1_Multilingual(32 bit 64)Portable. Fina.zip
  • Adobe Photoshop Lightroom 5.6 Final RePack.zip
  • ADOBE.PHOTOSHOP.CC.2014.X32.X64.MULTILINGUAL.PORTABLE-PAF.zip
  • Ashampoo WinOptimizer 11.00.50 +Activation.zip
  • BlueStacks Rooted Version 0.9.6.4092 Modded [ENGLISH]=Dubs=.zip
  • CCleaner 5.0.0.5050 the Newest version (2015) Fully Activated.zip
  • CCleaner Edition Professional v4.18.4842
  • Circuit Wizard Paid.zip
  • Fate Stay Night.zip
  • Folder Lock 6.2.4 with serial 100% working the best one ever .zip
  • GEGeek_Toolkit82.7z.zip
  • Internet Download Manager 6.21 Build 16 [REiS][JUHAX69X].zip
  • Internet Download Manager 6.21 Build 16 Multilingual Incl Patch-.zip
  • Internet Download Manager IDM 6.21 Build 16 Final + Crack[ATOM].zip
  • IObit Driver Booster PRO 1.0.0.733.zip
  • Jeppview 1425.zip
  • Kaspersky Internet Security 2015 (License Valid till 11-9-2015) .zip
  • Kaspersky Internet Security 2015 Trial Reset By Underground Acce.zip
  • K-Lite Codec Pack 10.88 (Full).zip
  • KMSpico v10.0.4 (Office and windows activator) [TechTools].zip
  • KMSpico v10.0.4 + Portable-P2P ~{B@tman}.zip
  • KMSpico v10.0.4.zip
  • Microsoft Desktop Optimization Pack (MDOP) 2014 R2 12-4-14.zip
  • Microsoft Dynamics CRM 2015 MSDN 12-01-14.zip
  • Microsoft Dynamics GP 2015 MSDN 12-01-14.zip
  • Microsoft Dynamics SL 2015 MSDN 10-7-14.zip
  • Mixamo Fuse Universal Character Creator 1.3 Windows.zip
  • Notepad++.zip
  • OS X Yosemite For AMD [USB Bootable] dmg.zip
  • OS X Yosemite For AMD [USB Bootable].zip
  • Paragon Disk Wiper 15 Pro 10.1.25.328 WinPE BootCD x64 [JUHAX69X.zip
  • Paragon Partition Manager 15 Professional 10.1.25.377 (x86-x64).zip
  • Paragon Partition Manager 15 Professional 10.1.25.377.000.zip
  • Passcape Software Reset Windows Password 4.1.0 Advanced Edition.zip
  • Passcape Software Reset Windows Password 5.0.0.535 Advanced Edit.zip
  • Passware Kit Forensic 13.5.8557 + Serial.zip
  • Process-Hacker .v2.0.zip
  • PT Photo Editor 2.1.2 Standard Edition [JUHAX69X].zip
  • Schoolhouse Technologies Vocabulary Worksheet Factory 5.0.20.4 _.zip
  • SDL Trados 2007 Suite Pro SP3.zip
  • SiSoftware Sandra Business 2015.01.21.10 + Keygen-FFF [ATOM].zip
  • Sothink Logo Maker Professional 4.4 Build 4595 + Crack (2015) 10.zip
  • Sveriges_dodboks_1901-2013.exe.zip
  • USGS Topographic Maps Library - Alaska.zip
  • VMWare Workstation 11.0.0 Build 2305329.zip
  • WebDrive V12.10.4082 32-bit & 64-bit.zip
  • Windows7.USB.Downol.with.Image.Mastering.API.v2.for.WinXP.zip.zip
  • Windows 7 AIO ESD x86 x64 [PL] [SP1.IE11.Listopad.2014-NiKKA].zip
  • Windows 7 x64 VL [PL] [SP1.IE11.Listopad.2014-NiKKA].zip
  • Windows 7 x86 VL [PL] [SP1.IE11.Listopad.2014-NiKKA].zip
  • Windows 8 x64 bits PC.zip
  • Windows 95C OSR 2.5 Swe.zip
  • Windows 95C OSR 2.5 Swe .zip
  • Windows XP Pro SP3 Lite v1.1 +Post Updates +WiFi +dotNetFx +Fire.zip
  • winrar 5.2 (32+64)Bit registered NO Serial or CRACK need.zip
  • winrar 5.2 (32bit+64bit) registered version does not need to cra.zip
  • WinUtilities 11.27[SSolution].zip

It drops zip-compressed copies of itself containing:

  • {zip file path}\cracked
  • {zip file path}\cracked\cracked.js (copy)

It searches for cookies related to the following sites:

  • addthis
  • amazon
  • bing
  • blogger
  • blogspot
  • conduit
  • dictionary
  • facebook
  • friendster
  • github
  • google
  • googleapis
  • googleusercontent
  • gravatar
  • linkedin
  • myspace
  • phpbb
  • pinterest
  • quantcast
  • reference
  • simplemachines
  • sourceforge
  • stackoverflow
  • torrent
  • twitter
  • wikipedia
  • windows
  • wordpress
  • yahoo
  • youtube

It checks for the following antivirus-related software:

  • Alwil Software
  • AVAST Software
  • AVG
  • Avira
  • ESET
  • F-Secure
  • Kaspersky Lab
  • Malwarebytes' Anti-Malware
  • Panda Security
  • Sophos
  • Spyware Doctor
  • Symantec
  • Trend Micro

It creates a randomly named .ZIP file and copies it to the folder used by Filezilla FTP client.

It connects to randomly generated URLs using domains such as the following:

  • .biz
  • .net
  • .com
  • .info
  • .name
  • .org
  • .ru

  SOLUTION

Minimum Scan Engine: 9.300
FIRST VSAPI PATTERN FILE: 11.298.04
FIRST VSAPI PATTERN DATE: 25 Nov 2014
VSAPI OPR PATTERN File: 11.299.00
VSAPI OPR PATTERN Date: 26 Nov 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {random file name} = "%Application Data%\{random folder name}\{random file name}.js"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • FirewallOverride = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • FirewallDisableNotify = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
    • AntivirusDisableNotify = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • Hidden = "2"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
    • NoDispCPL = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
    • DisableCMD = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
    • DisableTaskMgr = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
    • DisableRegistryTools = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows NT\CurrentVersion
    • SystemRestoreDisableSR = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsft\Internet Explorer\Control Panel
    • HomePage = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
    • DontReportInfectionInformation = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\System Restore
    • DisableConfig = "1"
  • In HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • NoControlPanel = "1"
  • In HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • "NofolderOptions" = "1"
  • In HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • NoWindowsUpdate = "1"
  • In HKEY_CURRENT_USER\Policies\Microsoft\Internet Explorer\Control Panel
    • HomePage = "1"

Step 5

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: AntivirusDisableNotify = "1"
      To: AntivirusDisableNotify = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: FirewallDisableNotify = "1"
      To: FirewallDisableNotify = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: UpdateDisableNotify = "1"
      To: UpdateDisableNotify = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • From: AntivirusOverride = "1"
      To: AntivirusOverride = 0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    • From: EnableFirewall = "0"
      To: EnableFirewall = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    • From: Start = "4"
      To: Start = 2
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • From: HideFileExt = "1"
      To: HideFileExt = 0
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • From: MigrateProxy = "0"
      To: MigrateProxy = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • From: ProxyEnable = "0"
      To: ProxyEnable = 1
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • From: ParseAutoExec = "0"
      To: ParseAutoExec = 1

Step 6

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %System Root%\{random folder name}
  • %Application Data%\{random folder name}
  • %Program Files%\{random folder name}
  • %User Temp%\cracked\

Step 7

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Temp%\{random file name}.js
  • %User Temp%\{random file name}.zip (compressed malware copy)
  • {Drive Letter}:\autorun.inf
  • {Drive Letter}:\{random file name}.js
  • %User Profile%\Local Settings\Application Data\Microsoft\CD Burning\{random file name}.js
  • %User Profile%\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as JS_PROSLIKE.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Please delete the following files:

  • {Peer-to-Peer Folder Destination}\{Possible zip-compressed malware File Name }

The folder destination may have any of the following names:

  • %Program Files%\ares\my shared folder
  • %Program Files%\bearshare\shared
  • %Program Files%\edonkey2000\incoming
  • %Program Files%\emule\incoming
  • %Program Files%\grokster\my grokster
  • %Program Files%\icq\shared folder
  • %Program Files%\kazaa lite k++\my shared folder
  • %Program Files%\kazaa lite\my shared folder
  • %Program Files%\kazaa\my shared folder
  • %Program Files%\limewire\shared
  • %Program Files%\morpheus\my shared folder
  • %Program Files%\tesla\files
  • %Program Files%\winmx\shared
  • %User Profile%\My Documents\FrostWire\Shared

The malware file name may be any of the following:

  • Acronis True Image 2015 18.0 Build 6525 ITA.zip
  • Adobe Photoshop CC v15.2.1 [2014 ](x64x32)Portable-Multilingual.zip
  • Adobe Photoshop CC v15.2.1_Multilingual(32 bit 64)Portable. Fina.zip
  • Adobe Photoshop Lightroom 5.6 Final RePack.zip
  • ADOBE.PHOTOSHOP.CC.2014.X32.X64.MULTILINGUAL.PORTABLE-PAF.zip
  • Ashampoo WinOptimizer 11.00.50 +Activation.zip
  • BlueStacks Rooted Version 0.9.6.4092 Modded [ENGLISH]=Dubs=.zip
  • CCleaner 5.0.0.5050 the Newest version (2015) Fully Activated.zip
  • CCleaner Edition Professional v4.18.4842
  • Circuit Wizard Paid.zip
  • Fate Stay Night.zip
  • Folder Lock 6.2.4 with serial 100% working the best one ever .zip
  • GEGeek_Toolkit82.7z.zip
  • Internet Download Manager 6.21 Build 16 [REiS][JUHAX69X].zip
  • Internet Download Manager 6.21 Build 16 Multilingual Incl Patch-.zip
  • Internet Download Manager IDM 6.21 Build 16 Final + Crack[ATOM].zip
  • IObit Driver Booster PRO 1.0.0.733.zip
  • Jeppview 1425.zip
  • K-Lite Codec Pack 10.88 (Full).zip
  • Kaspersky Internet Security 2015 (License Valid till 11-9-2015) .zip
  • Kaspersky Internet Security 2015 Trial Reset By Underground Acce.zip
  • KMSpico v10.0.4 (Office and windows activator) [TechTools].zip
  • KMSpico v10.0.4 + Portable-P2P ~{B@tman}.zip
  • KMSpico v10.0.4.zip
  • Microsoft Desktop Optimization Pack (MDOP) 2014 R2 12-4-14.zip
  • Microsoft Dynamics CRM 2015 MSDN 12-01-14.zip
  • Microsoft Dynamics GP 2015 MSDN 12-01-14.zip
  • Microsoft Dynamics SL 2015 MSDN 10-7-14.zip
  • Mixamo Fuse Universal Character Creator 1.3 Windows.zip
  • Notepad++.zip
  • OS X Yosemite For AMD [USB Bootable] dmg.zip
  • OS X Yosemite For AMD [USB Bootable].zip
  • Paragon Disk Wiper 15 Pro 10.1.25.328 WinPE BootCD x64 [JUHAX69X.zip
  • Paragon Partition Manager 15 Professional 10.1.25.377 (x86-x64).zip
  • Paragon Partition Manager 15 Professional 10.1.25.377.000.zip
  • Passcape Software Reset Windows Password 4.1.0 Advanced Edition.zip
  • Passcape Software Reset Windows Password 5.0.0.535 Advanced Edit.zip
  • Passware Kit Forensic 13.5.8557 + Serial.zip
  • Process-Hacker .v2.0.zip
  • PT Photo Editor 2.1.2 Standard Edition [JUHAX69X].zip
  • Schoolhouse Technologies Vocabulary Worksheet Factory 5.0.20.4 _.zip
  • SDL Trados 2007 Suite Pro SP3.zip
  • SiSoftware Sandra Business 2015.01.21.10 + Keygen-FFF [ATOM].zip
  • Sothink Logo Maker Professional 4.4 Build 4595 + Crack (2015) 10.zip
  • Sveriges_dodboks_1901-2013.exe.zip
  • USGS Topographic Maps Library - Alaska.zip
  • VMWare Workstation 11.0.0 Build 2305329.zip
  • WebDrive V12.10.4082 32-bit & 64-bit.zip
  • Windows 7 AIO ESD x86 x64 [PL] [SP1.IE11.Listopad.2014-NiKKA].zip
  • Windows 7 x64 VL [PL] [SP1.IE11.Listopad.2014-NiKKA].zip
  • Windows 7 x86 VL [PL] [SP1.IE11.Listopad.2014-NiKKA].zip
  • Windows 8 x64 bits PC.zip
  • Windows 95C OSR 2.5 Swe.zip
  • Windows 95C OSR 2.5 Swe .zip
  • Windows XP Pro SP3 Lite v1.1 +Post Updates +WiFi +dotNetFx +Fire.zip
  • Windows7.USB.Downol.with.Image.Mastering.API.v2.for.WinXP.zip.zip
  • winrar 5.2 (32+64)Bit registered NO Serial or CRACK need.zip
  • winrar 5.2 (32bit+64bit) registered version does not need to cra.zip
  • WinUtilities 11.27[SSolution].zip


Did this description help? Tell us how we did.