Help! Virus found: os _merge[3].js

Hello all,
I’m new to the forum. I just got my first virus hit. Is anyone familiar with virus os _merge[3].js? What does it do? I googled it but found nothing.

we need more info here
what name did avast give it ?
where was it found?
what scan or shield found it?

you may attach a screen shot of the scan result

Virus Name: os _merge[3].js
Found in Temporary Internet Files folder.
Full system scan found virus.

I’ve attached screenshots of the Virus Chest & Scan Logs.

It seems that my screenshot attachments aren’t working so

Here is Virus Chest content:

Name os_merge[3].js
Original location C:\Users\Destro2k\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\35A22CAC
Last changed 8/2/2012 9:19:51 PM
Transfer time 8/28/2012 9:16:43 AM
Virus JS:Blacole-AV[Trj]

Here is the Scan Results content:

File name C:\Users\Destro2k\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\35A22CAC\os_merge[3].js
Severity High
Status Threat: JS:Blacole-AV[Trj]
Action Move to Chest
Result Action successful

Appears to be a malicious Javascript, possibly spreading a FakeAV trojan.

There is a new zero day Java exploit for yet another unpatched vulnerability http://www.geekstogo.com/
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

Erm… it’s JavaScript. Anyway, unless anything suspicious is going on, you probably don’t need to worry.

what is it you try to say …since it is marked red?

http://en.wikipedia.org/wiki/Blackhole_exploit_kit

The script exploits a Java vulnerability

@destro2k

Virus Name: os _merge[3].js Found in Temporary Internet Files folder.
not correct .... os _merge[3].js is the file name

this is the virus name that avast gave it. JS:Blacole-AV[Trj]. :wink:

Pondus,

It is only to demonstrate that he apparently visited a website with a malicious jacascript link that infected him, because he was vulnerable to what was exploited through that script.
That could be via a redirect and indeed could be a java exploit.
Therefore it is advised that users disable java for the time being until the existing 3 zero days have been patched or start to use NoScript inside the browser to be protected. In google chrome put this in the address bar: “chrome://plugins” (without “”) - then all your active plugins are shown, now tag disbable at the java plugin and you are done… It is essential the eventual use of javascript is blocked until used and then some use a separate browser just for this purpose (sandboxed),

polonus

Ah, okay. Thank you for clarifying, essexboy. I didn’t realize you were referring to the function of it and just thought you had misread it. My apologies.

Flashgamer001,

You sound as though there is no need to be concerned. Are JavaScript virus’s inherently low risk?

Polonus,
I took your advice and disabled the java plugin. What kind of problems should I expect to encounter on different websites as a result of disabling java plugin?

To all,
Should I wipe my system and reinstall OS?

hi destro2k,

1.) No to low risk, it’s actually the other way around.
2.) (Answering for Polonus. Hope you do not mind) A website with a BlackHole exploit cannot affect you if java or flash is disabled. You will not be able to view java content within your browser while it is disabled. As the vendor, Sun Oracle, rarely issues out-of-band patches for java, you may have to wait for the next scheduled patch in October.
3.) Go here and run these three programs: Malwarebytes, OTL, and aswMBR.exe. Scan logs will be produced and attach all logs here in your next reply. Here: http://forum.avast.com/index.php?topic=53253.0 A volunteer malware expert will be along to assist you shortly.

BTW, since Oracle seemingly will not give out-of-cycle patches, I do not run or have java on my system. One less thing to worry about.

Should I wipe my system and reinstall OS?
why ? ..... avast found it and removed it if you are suspicious follow suggestion 3 from mchain and attach the logs requested

No, I don’t know why I said that. It definitely is a good idea to check with the scanners as suggested by mchain. Most malware causes visible signs, but there’s ones that aren’t obvious. I must not have been thinking.

Update released http://isc.sans.edu/diary/Oracle+Releases+Java+Security+Updates/14008

yepp…they have…running a manual update …and down it came

thanks for the info :wink:

Malwarebytes and aswMBR.exe logs are attached.

OTL log attached (split in two due to upload size failure).