VirusJS/Agent.QSM!tr
Analysis
JS/Agent.QSM!tr is a generic detection for a very small piece of JavaScript code that was found embedded in some XML files. The entire code basically says "Download File" from a certain location and then executes it.
The malware uses rundll32 to initiate a process for the HTML application, similar to the code below employed in the Poweliks malware:
- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";
- hxxp://atelier-kref{Removed}.de/mllgkkei24?\
- hxxp://autoghinzan{Removed}.it/mllgkkei16?\
- hxxp://autobody.cciwes{Removed}.net/mllgkkei21?\
- hxxp://autoecole-jeanloui{Removed}.com/mllgkkei11?\
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2021-09-28 | 89.04190 |