Javascript Worm Virus

fatgav

Hi guys

I am running Windows 7 64-bit on a lenovo laptop that I've had for apx three years or thereabouts. So far so good until a few weeks ago when AVG started flagging the presence of a js/worm style virus.

The warnings are persistent, which isn't unusual (I understand) with this type of virus. Obviously I remove them always, but it makes no difference.

The paths to where the infected files are found all seem to be in various subfolders of my web browsers (I use Chrome - more on that in a second - and the warnings come from files in its subfolders, and also of IE and Firefox). Chrome, in recent days, has stopped opening altogether.

I have been uber busy in work, using the laptop which meant I was reluctant to do any major DIY job to fix it because there's important files on there. The off-shoot though, as I've just realised, is that I now don't have a backup/restore point from when the problems emerged. My own fault, I know, and I don't know if I can retrieve one from earlier (perhaps you can help with that).

Is my only option at this stage to backup files and to restore the laptop to factory settings, or is there a less drastic option? If you need more info, I'll happily supply and thanks in advance for any help

Bluefrog

I'll start by saying I'm a web developer so I know quite a bit about the capabilities of javascript.

In modern browsers javascript is sandboxed which means (in theory and as far as I am aware in reality too) that no script can of itself harm your machine, at least not without you giving it express permissions with extensive warnings which should definitely arouse your suspicions. During the course of normal web browsing we all download javascript files in the background which are then stored locally to help web pages load faster during revisits These files assist your browser with everything from validating the info we enter in web forms to allowing the websites to display targeted ads.

Lately it seems that some of the ad networks have become compromised and are hosting ads which have been designed to deliver malware to unsuspecting victims via respected third party sites on which these ads appear. On desktops & laptops, most of these ads are using vulnerabilities in Adobe Flash installs which haven't been updated to the latest version to infect machines with malware - in many cases, these Flash vulnerabilities do not require any interaction from the user to install and launch the malware.

There are also malicious ads that use javascript & cookies to redirect users from respected sites to dodgier ones or even add unsafe content to current pages and I believe it is these javascripts your antivirus is flagging. They are not a threat in and of themselves but they could redirect you to sites with malicious Flash attacks as described above or rely on enticing downloads or other social engineering to get you to install malware.

So my advice would be, make sure all your browsers have the most up-to-date versions of Flash. Ensure that if you are prompted to update Flash that the URL you are downloading from is actually the Adobe website and not a clone - you can check the correct download location in Google. To deal with the existing javascripts just empty your browsers' caches. To prevent new ones landing on your machine you could install an ad blocker.

Even if you are not noticing any odd behaviour on your machine it would probably be worth running a couple of different antivirus & malware sweeps just to rule out the presence of any existing malware. No one package will give you complete coverage and even a combo won't be 100% but it does improve your chances somewhat of not missing something. It should be noted that different antivirus packages don't tend to play well together so you should only run one at a time.

Can't stress enough how important it is for folk to keep Flash up-to-date - seems new vulnerabilities are being found on an almost weekly basis.

It does seem as though the ad networks are slowly beginning to actively defend against these malicious ads but once again, no system will ever be perfect and some will always slip through. Really the best you can do is reduce your risk exposure, gaging the resources you put in to that on the importance of what you do and store on your machine.

Bluefrog

Oh and I should have added, there really isn't much excuse to have any important files stored solely on one machine anymore. Cloud services like Dropbox & Google Docs give you realtime safe backups or since you mention you are using this machine for work, perhaps your employer has a backup facility.

gctest50

The dodgiest adverts and things (used to / might still ) log into your router, change the DNS setting to rogue DNS

then AIB.ie or whoever wouldn't really be AIB anymore, you'd want to be very awake to cop it

http://www.dcwg.org/

The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.

Bluefrog

I hope ISP's have gotten wise to those kinds of attacks. Not sure about the others but UPC/Virgin now provide no access from the wlan side for customers (pretty annoying actually) so you'd probably have to go through an internal network client via email or browser vectors to make changes to DNS. If you are running your own router I would hope you know enough to keep it patched, change default login creds and secure any ports you have opened.

In terms of DNS hijacking, evil twin access points in public wifi areas seem to me a bigger threat.