Alias/es

Detection Availability

Visible Symptoms

• This malware tries to access a URL from a remote location. There may be no visible symptoms.

Detailed Analysis

• This detection is for obfuscated JavaScript codes that try to access a URL from a remote location.


• It may be received as an attachment from a SPAM email. An example of the email is the following:
  
  
  • From: varies. Examples are the following:
    
    
    • microsoft outlook support [cynicallytv@researchresponse.com]
    • microsoft outlook support [lessonsso5@rotinconcept.com]
    • hksunlogistics.com support [admin@hksunlogistics.com]
  
  
  • To: recipient of the SPAM email.
  
  
  • Subject: varies. Examples are the following:
    
    
    • Outlook Setup Notification
    • hksunlogistics.com account notification
  
  
  • Body: varies. Examples are the following:
    
    

    You have (8) messages from Microsoft Outlook. Please re-configure your Microsoft Outlook again. Download attached setup file and install.

    
    
    

    Dear Customer, This e-mail was send by hksunlogistics.com to notify you that we have temporanly prevented access to your account. We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions. (C) hksunlogistics.com

  
  
  • Attachment: open.html


• The URL that it tries to access is the following:
  
  
  • http://[Removed].com/images/z.htm
  
  As of this writing, the above web site redirects the browser to another website that shows advertisements for various pills/drugs.

Recommended Action

FortiGate Systems


• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  
  FortiClient Systems
  
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.