Hey guys!
Thanks for giving me some of your time!
I lately stumbled upon one weird thing, my USB got infected by a weird virus that multiplies by JPGs!
Avast doesn’t recognize it as a virus tho.
So, I would like to let it to expert to see it is it really dangerous or not.
PS:For clarification, these files are not real JPGs, open them with Notepad.
PS²:Always for clarification, the JPGs are just the source to something weird, they can’t infect without the Autorun file.
http://jmp.sh/YCxfVYQ
Free USB protection and cleaning MCShield http://www.mcshield.net (used by this forums malware removal team)
Scan of your files https://www.metascan-online.com/#!/results/file/a13ee4f0d2324f979b08996da374d146/extracted
Samples sendt avast lab
thanks for samples
I have a Windows XP machine (oracle VM) as memory 512 MB
avast not detected
I sent yesterday to date nothing
the LNK shortcuts when subjected to the virus total and changed its name to wscript.exe then was compressed into zip,and always this normal behavior in a removable media.
We not currently have file VBS and as usual,the infection parts of the image where you are folders with shortcuts have the following attributes
C:\WINDOWS\system32\wscript.exe /e:VBScript.Encode img.jpg
new to me
http://i.imgur.com/JuKsIiY.png
img.jpg Trojan.VBS.Agent.PU
Photo0.jpg
photos.jpg
Administrateur.lnk
Nouveau.lnk
Nouveau Dossier.lnk
I created detections for the files, and blocked the URL which it connected to (hxxp://bahaty.com/red/1.php)
Thanks for reporting it!
URL is blocked,confirmed the update VPS 191215-0
6 files now included
Photo0.jpg - VBS:Agent-BOJ [Trj]
photos.jpg - VBS:Agent-BOK [Trj]
img.jpg - VBS:Agent-BOL [Trj]
Administrateur.lnk -Other:PUP-gen[PUP]
Nouveau.lnk -Other:PUP-gen[PUP]
Nouveau Dossier.lnk -Other:PUP-gen[PUP]
autorun.inf is detected with Other:Malware-gen [Trj]
I confirmed the files will be detected reclassified in the new VPS:
Administrateur.lnk - LNK:Agent-H [Trj]
Nouveau.lnk - LNK:Agent-H [Trj]
Nouveau Dossier.lnk -LNK:Agent-H [Trj]
Confirmation that avast is detecting it :
https://www.virustotal.com/en/file/f9ee2c3b4d37c506099e827c0ba2d2e761cb81e403f96250c9e581b55fde8838/analysis/1457519579/