Help! Virus found: os _merge[3].js

[destro2k]

Hello all,
I'm new to the forum. I just got my first virus hit. Is anyone familiar with virus os _merge[3].js? What does it do? I googled  it but found nothing.

[Pondus]

we need more info here
what name did avast give it ?
where was it found?
what scan or shield found it?

you may attach a screen shot of the scan result

[destro2k]

Virus Name: os _merge[3].js
Found in Temporary Internet Files folder.
Full system scan found virus.

I've attached screenshots of the Virus Chest & Scan Logs.

[destro2k]

It seems that my screenshot attachments aren't working so


Here is Virus Chest content:

Name                                              os_merge[3].js
Original location                              C:\Users\Destro2k\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\35A22CAC
Last changed                                  8/2/2012 9:19:51 PM
Transfer time                                   8/28/2012 9:16:43 AM
Virus                                                JS:Blacole-AV[Trj]



Here is the Scan Results content:

File name                                         C:\Users\Destro2k\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\35A22CAC\os_merge[3].js
Severity                                            High
Status                                              Threat: JS:Blacole-AV[Trj]
Action                                               Move to Chest
Result                                               Action successful

[flashgamer001]

Appears to be a malicious Javascript, possibly spreading a FakeAV trojan.

[essexboy]

There is a new zero day Java exploit for yet another unpatched vulnerability  http://www.geekstogo.com/
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

[flashgamer001]

Erm... it's JavaScript. Anyway, unless anything suspicious is going on, you probably don't need to worry.

[Pondus]

Erm... it's JavaScript. Anyway, unless anything suspicious is going on, you probably don't need to worry.

what is it you try to say ....since it is marked red?


http://en.wikipedia.org/wiki/Blackhole_exploit_kit

[essexboy]

The script exploits a Java vulnerability

[Pondus]

@destro2k

Virus Name: os _merge[3].js
Found in Temporary Internet Files folder.

not correct .... os _merge[3].js is the file name

this is the virus name that avast gave it. JS:Blacole-AV[Trj].   

[polonus]

Pondus,

It is only to demonstrate that he apparently visited a website with a malicious jacascript link that infected him, because he was vulnerable to what was exploited through that script.
That could be via a redirect and indeed could be a java exploit.
Therefore  it is advised that users disable java for the time being until the existing 3 zero days have been patched or start to use NoScript inside the browser to be protected. In google chrome put this in the address bar: "chrome://plugins" (without "") - then all your active plugins are shown, now tag disbable at the java plugin and you are done... It is essential the eventual use of javascript is blocked until used and then some use a separate browser just for this purpose (sandboxed),

polonus

[flashgamer001]

The script exploits a Java vulnerability

Ah, okay. Thank you for clarifying, essexboy. I didn't realize you were referring to the function of it and just thought you had misread it. My apologies.

[destro2k]

Flashgamer001,

Erm... it's JavaScript. Anyway, unless anything suspicious is going on, you probably don't need to worry.

You sound as though there is no need to be concerned. Are JavaScript virus's inherently low risk?

Polonus,
I took your advice and disabled the java plugin. What kind of problems should I expect to encounter on different websites as a result of disabling java plugin?

To all,
Should I wipe my system and reinstall OS?

[mchain]

hi destro2k,

Flashgamer001,

Erm... it's JavaScript. Anyway, unless anything suspicious is going on, you probably don't need to worry.

You sound as though there is no need to be concerned. Are JavaScript virus's inherently low risk?

Polonus,
I took your advice and disabled the java plugin. What kind of problems should I expect to encounter on different websites as a result of disabling java plugin?

To all,
Should I wipe my system and reinstall OS?

1.)  No to low risk, it's actually the other way around.
2.)  (Answering for Polonus. Hope you do not mind)  A website with a BlackHole exploit cannot affect you if java or flash is disabled.  You will not be able to view java content within your browser while it is disabled.  As the vendor, Sun Oracle, rarely issues out-of-band patches for java, you may have to wait for the next scheduled patch in October.
3.)  Go here and run these three programs:  Malwarebytes, OTL, and aswMBR.exe.  Scan logs will be produced and attach all logs here in your next reply.  Here:  http://forum.avast.com/index.php?topic=53253.0  A volunteer malware expert will be along to assist you shortly.

BTW, since Oracle seemingly will not give out-of-cycle patches, I do not run or have java on my system.  One less thing to worry about.

[Pondus]

Should I wipe my system and reinstall OS?

why ? ..... avast found it and removed it
if you are suspicious follow suggestion 3 from  mchain and attach the logs requested