Go to listing page

This JavaScript Malware shuts down your PC if you terminate it!

This JavaScript Malware shuts down your PC if you terminate it!

The researchers from Kahu Security have unearthed a new JavaScript malware. The malware is coded in JavaScript and is tasked to hijack the browser. The characteristic feature of this JavaScript based malware is that if you detect it and attempt to terminate its process it will shut down your computer.

As per the researchers this is not a new malware but a variant of similar kind which were first seen in 2014. However, the latest variant is more advanced, more lethal and more damaging. The malware is being spread through known techniques of email spam. However despite it being based on JavaScript, the malware is not executed inside the browser but the Windows Script Host which is the inbuilt JavaScript executor for the Windows.

The researchers found out that the criminals behind this malware have taken strenuous effort to hide the real payload of this malware behind the jumble of random characters. This malware has been designed to change the underlying operating system settings, and make use of tricks like encoded characters, regex replace, regex search, conditional statements and unusual base conversions.

The researchers have charted out all the steps the script undergoes:

  • A new folder is created in AppDataRoaming directory. It is then hidden using a new registry key.
  • The legitimate Windows wscript.exe application is then copied inside this new folder. A new random name is assigned to it.
  • It then copies itself inside this new folder, creates a shortcut to itself. The shortcut is named ‘Start’ and is placed in the “Startup” folder. This makes it accessible via the Windows Start Menu.
  • A fake folder icon is assigned to the Start shortcut. This is aimed to trick the users into thinking its a folder and not a file.
  • The rest of the code of the script then starts checking for the internet connection through Microsoft, Google or Bing.
  • The telemetry data is then sent to urchintelemetry dot com. It then downloads an encrypted file from this site and runs it.
  • The encrypted file is a different JavaScript file that infects the browsers and changes their homepage. The homepage redirects the user to another side.
  • This script also uses Windows Management Instrumentation to look for security software.
  • If such a software is found, it is terminated using a bogus error message.
  • If the user locates this malware running in the task manager and tries to stop it, the PC is shutdown as the script executed a CLI command for the same.
  • Upon restarting the PC, the JavaScript runs again.

The solution to this malicious script is to start PC in safe mode and then remove the startup link and roaming folder.

Cyware Publisher