Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TrojanDownloader Found in ZIP, did it execute?


  • Please log in to reply
3 replies to this topic

#1 howdj

howdj

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 02 October 2017 - 07:25 AM

Hi all,

 

I'm normally managing and monitoring my security very well. Today I decided to run a full scan using Windows Defender (I also run regular scans of Malware Bytes).

 

I got 1 threat found:

 

TrojanDownloader:JS/Swabfex.P

 

It was found in:

 

containerfile: C:\Users\[me]\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\5675bcd41be1517f\120712-0049\Att\20007f71\RG910001293SIG.zip

 

file: C:\Users\[me]\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\5675bcd41be1517f\120712-0049\Att\20007f71\RG910001293SIG.zip -> RG2083554235-SIG.js

 

I then cleared the file using Windows Defender's advice.

 

My question based on this, is how did it get there, and did downloading the zip automatically trigger the js contents? I know that websites can download stuff in the background, but as far as I know, unless someone opens that zip then nothing will happen. I have never and would never open an unknown zip, and especially wouldn't run a rogue JS file within one, so I'm 99% sure I'm safe, but I thought I'd ask the professionals!!

 

I've since run a full Windows Defender scan, a RogueKiller scan, and Malware Bytes (although that didn't even report it this morning), and have no issues found, but I'm interested in if I should be changing passwords etc...

 

Any advice on how it got there, information on what can and can't run, and even an opinion on if I should be concerned etc.. would be much appreciated!

 

Thank you all for any help!



BC AdBot (Login to Remove)

 


#2 howdj

howdj
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 02 October 2017 - 07:48 AM

Ok, from what I have managed to find out, it looks like the Mail/Calendar/People apps on Windows 10 that are connected to my account are downloading anything arrives in my hotmail inbox into these kinds of folders, and I've now turned off this auto sync. When I want to check my mail I will go to hotmail instead of using the mail app.

 

So now I have a clue how it got there.

 

My question is now more simple. By downloading this zip, will it have triggered the .js contents? I guess not because otherwise with this sync, MS would be infecting millions of users every day by autodownloading stuff. Any thoughts would be very welcome!!  :)



#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:23 PM

Posted 04 October 2017 - 10:21 AM

You woukd normally need to open the file to make it Execute.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 howdj

howdj
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 04 October 2017 - 03:43 PM

Thank you boopme, good to know. I'm experiencing no issues and I've run multiple scans from multiple tools, and all reports back well, so I'm assuming this topic is closed. Thank you!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users