[JanTro]

Hi everyone

 

whenever I visit one particular website, after about 1 second my antivirus software (AV in the following) notifies me that it removed a threat:

 

Trojan:Downloader.JS/Vdehu.A at file:C:\Users\xxxxx\AppData\Local\Chromium\User Data\Default\Cache\f_003655

 

This never happened before and only occurs at that paritular website. Please advise whether I may publicly post this potentially dangerous website.

 

After some testing, I noticed that the AV only complains when I visit the website using Chrome (Iron, v75) or Opera (latest). Firefox (latest) does not cause the behaviour. I can replicate the behaviour on a second (Win10) computer. Both computers are in the same local network but otherwise independent.

 

Being aware that my Chrome based browser (Iron, v75) is not up-to-date, I wanted to try a newer version. I downloaded the archive (ungoogled, up-to-date) from here: https://chromium.woolyss.com/ Right after launching chrome.exe I suddenly got another AV notification: this time it was:

 

Behavior:Win32/Cerber.gen!A!:rsm  No file path is given.

 

I downloaded the latest Kaspersky Rescue Disk (USB boot thingy) and did a complete scan: no results.

 

Meanwhile I have booted the computer several times. I keep an eye on the task manager and TCPView (probably giving me some false sense of security).  I have not noticed anything different.

 

 

Questions: 

 

1) I did read http://www.geekstogo...cleaning-guide/. However, it requires to run FRST as admin. Before I do that, may I kindly ask, whether it is possible that malware can spy on the act of entering the admin password and then get elevated rights? Alternatively, would a non-admin report suffice?

 

2) Ideally, you would allow me to post the alledgely malicious website and somebody could try to replicate the AV warning. It is a job advert of a large known corporation redirected from a website owned by a government institution.

 

3) I also would like to make sure that it is a client issue at all - which the first download trojan may not really suggest. As for the second ransom trojan, if you have one Chrome version installed and then try to run another portable version it accesses the profile data of the installed version. Since the installed Chrome version is a stripped down fork (Iron), it may miss those features of the portable one that triggers the ransom trojan. Differently put, the ransom trojan may sit in the Chrome user data directory, trying to do its thing but fails due to missing admin rights / AV intervention.

 

I am a bit scared to further investigate the ransome trojan. Is there a way to run an exe with a very limited set of permissions or so (like limiting write access to the chrome user data folder)? Or anything else I can **safely** do to learn from where the ransom trojan originates.

 

4) Please let me know if you need further informaiton.

 

 

Some details:

 

Win7 64 (latest)

Microsoft SEcurity Essentials (latest)

 

 

 

Best wishes

 

JanTro

 

 

Several edits: I should include the malware name in the title but the title length is too limited.

Edited by JanTro, 20 November 2019 - 04:18 AM.