4 Replies Latest reply on Jun 21, 2013 8:34 AM by Hayton Branched from an earlier discussion.

    JS/Ransom-ABJ detected

      js/ransom-abj was detected by McAfee, it was in the log, but it did not stop the virus from infecting my user account. I could not boot to safe mode. I had a second account with full admin rights on my pc so I was able to log into that account and manualy clean the virus.

        • 1. Re: JS/Ransom-ABJ detected
          Hayton

          You tacked this in to the end of a discussion about a redirector, which this isn't. I've branched it out and moved it into Security Awareness / Top Threats.

           

          McAfee has detected the javascript file dropped by a Trojan. You don't say if anything else was detected.

           

          There isn't a description of this in the McAfee database but thanks to VirusTotal I can confirm that this is the same one known to Microsoft as Trojan:JS/Reveton.A : see the Encyclopedia entry for this detection at

          http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Tro jan:JS/Reveton.A

           

          The malicious JavaScript's only function is to use the legitimate system file "rundll32.exe" to launch the Trojan:Win32/Reveton dropper component.

           

           

          For a generic description of the Reveton dropper (there are many variants) see

          http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Tro jan%3aWin32%2fReveton

           

          Deleting the files may get rid of the infection but you should still run a couple of scans just in case : the Trojan may have downloaded other malware.

           

          I would advise that you run Stinger (from here) and then update McAfee and run a full scan.

          • 2. Re: JS/Ransom-ABJ detected

            Thanks for taking the time to give my post a look. At the time nothing eles was detected. But since then 2 full automatic scans was ran and the following was detected in the quarantined and trusted items screen. I'v had the ZerroAcess before, I cleand it with ComboFix it's good to see McAfee detecting it now

             

            I will give Stinger a try,

             

            Thanks

            Screen Shot.jpg

             

            Message was edited by: rmczar on 5/20/13 7:15:19 PM CDT
            • 3. Re: JS/Ransom-ABJ detected

              Hi

              The same has just happened to me today. Why a month after you highlighted this threat is McAfee still letting this Trojan though?. I went onto live chat with McAfee who put me through to the Virus Removers. They wanted to charge me $89.95 to check my machine. Found your post on Google and checked my machine with the stinger in McAfee reply to you.

              • 4. Re: JS/Ransom-ABJ detected
                Hayton

                bertie42 wrote:

                 

                Why a month after you highlighted this threat is McAfee still letting this Trojan though?.

                 

                Well, it's not, exactly. It's a Trojan, which means it either persuades you to let it run or sneaks in by the back door via a drive-by, which means you haven't updated one of the commonly-targeted programs that the Exploit Kits go after. McAfee detects it only by checking the MD5 or SHA1 signatures of any files created or downloaded. So change the MD5/SHA1 signature and it's effectively an unknown file. As for the specific file that is the subject of this thread, it's only a dropper file. It requests another file to be downloaded. "McAfee lets it through" because anti-virus programs, if they work on a signature-checking basis, can be fooled simply by modifying the code to create a new signature. Fortunately signature-checking is only one of the ways to detect malware. There are better ways to stop malware running, involving behaviour analysis. But even that isn't foolproof, and the detection algorithms have to be constantly modified to counter the latest malware developments.

                 

                McAfee isn't a magic shield, and nor are any of the rival products. It does pretty well, though.