Author Topic: VBS: Bicololo-BU  (Read 8609 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
VBS: Bicololo-BU
« on: June 20, 2017, 03:38:54 PM »
Hi. Hoping to find out if these AV threat warnings I have been receiving all morning are legit or a false positive?

Haven't downloaded any files, emails, attachments but the past hour I can't hit a webpage without seeing 6 of these pop up. Same threat warning over and over.
So far Malwarebytes logs dont show anything.
AV popping up non stop telling me its blocked a threat and moved it to the chest - which appears to becoming quite full.


/applications/Google Chrome.app/Contents/MacOS/GoogleChrome/Users/BlankName/Library/ApplicationSupport/Google/Chrome/Default/LocalExtensionsSettings/gomekmidlodglbbmalcneegieacbdmki/140228.ldb


Edit:    Wont stop. Given up on Chrome for today and fine on Safari.   Hoping AV will somehow get around this...
« Last Edit: June 20, 2017, 04:39:51 PM by YIMA »

REDACTED

  • Guest
Re: VBS: Bicololo-BU
« Reply #1 on: June 20, 2017, 08:20:54 PM »
If anyone happens to know how to get rid of these pop ups, please let me know.

In the meantime, I am just going to uninstall Avast for now and install a different AV and see if that helps for i cant use my chrome browser like this.

Thanks


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: VBS: Bicololo-BU
« Reply #2 on: June 21, 2017, 12:47:58 AM »
What about uninstall Chrome reboot and reinstall?


REDACTED

  • Guest
Re: VBS: Bicololo-BU
« Reply #3 on: June 21, 2017, 01:27:18 AM »
I have tried everything short of a reinstall. I have d/l another AV which I may install later. It might be less work than a backup of settings and a reinstall of Chrome.
Every single page i click on brings up 6-8 of the same warnings, every single time.
Have run Malware, AV and everythings clean.

Have cleaned caches, advanced settings otherwise everything else i have seen online telling me what to do but nothing is working.
Was hoping that it might be on AV's end, and an update was needed but 12 hours later, admittedly I am losing patience.

Edit:   Finally located the file deep in chromes folder.  Deleted and so far seems ok.

Thanks
« Last Edit: June 21, 2017, 01:37:29 AM by YIMA »

REDACTED

  • Guest
Re: VBS: Bicololo-BU
« Reply #4 on: June 29, 2017, 07:47:57 PM »
hello, i have just received the same virus today. Do you know in which folder it is in exactly i can't seem to locate it. thank you.

REDACTED

  • Guest
Re: VBS: Bicololo-BU
« Reply #5 on: July 03, 2017, 05:49:38 PM »
Hey!

I received the same virus today. I found a way to get rid of it and it seems to be working atleast for now.

Find this location in your Mac: /Users/yourcomputername/Library/Application Support/Google/Chrome/Default/Local Extension Settings

Delete all the folders in that location. One of the folders seems to be infected – not sure which one, so you should delete them all. Hopefully this resolves the problem for you too. I will update if the alerts continue.


REDACTED

  • Guest
Re: VBS: Bicololo-BU
« Reply #6 on: August 05, 2017, 02:30:37 AM »
I first received a notification for this yesterday, but dismissed it after search results kept suggesting it might be a false positive. But today, Avast keeps blasting me w/popups for the trojan. Every time I open a new Chrome tab I get hit w/multiple popups. The shields scan says I'm currently at 323 files, and it's bound to grow if I open another tab or two (edit: now allegedly 535 by the time I finished posting this after researching the problem).

This Chrome forum post was not helpful: https://productforums.google.com/forum/#!topic/chrome/PyO_qzRXM5o

These Avast blog posts and the following Solvusoft blog post were helpful to me figuring out wht the hell this virus is. Apparently, it's a mutated Russian trojan (fwiw):
- https://blog.avast.com/2013/02/05/bicololo-virus-spreading-via-webserver-errors/
- https://blog.avast.com/2012/10/08/russian-odnoklassniki-spamming/
- http://www.solvusoft.com/en/malware/trojans/vbs-bicololo-bu/

Since Avast isolated the threat and placed them in the Chest, I deleted them in bulk. But when I opened a new tab just now, I got blasted w/about six popups. So does that mean there are six instances of the virus for each tab I open, or is this just overkill on Avast's part?

The .ldb file extension is a Microsoft Access "lock information file," which tracks users accessing an Access database of the same name.

When I searched for "gomekmidlodglbbmalcneegieacbdmki" in my Chrome extensions, it turns out that is the filename for Avast. So is Avast flagging its own Chrome extension, or is the six digit number as filename the actual virus? OP's was 140228.ldb. Mine is 051681.ldb.

I'm going to try OJP's method, since that seems to be where the virus is located. I'll report back what I find.

Oh, and fwiw, I'm running macOS Sierra Version 10.12.5 on a 2016 Macbook Pro, and my Chrome version is Version 59.0.3071.115 (Official Build) (64-bit).

REDACTED

  • Guest
Re: VBS: Bicololo-BU
« Reply #7 on: August 05, 2017, 03:24:47 AM »
Well, the deleting from the Avast Chest didn't solve the problem, which means that whatever is triggering the popups isn't whatever the file was that Avast isolated.

And so in addition to deleting the files located in the Avast Virus Chest, I just tried OPJ's method of deleting the files w/in the Local Extensions folder, and that worked. Popups gone, and Avast isn't freaking out on me anymore.

Thanks, OPJ!

*crosses fingers hoping the problem is gone for good*