F-Secure DeepGuard alarm and wscript.exe

OGrelck

Greetings,

we got a F-Secure DeepGuard alarm today.

The User told me he download a zip file with Google Chrome,

in which should be a word document.

He said he deleted the zip file an did not open

it. Attached some screenshots from F-Secure.

  

The question is, is it true that he did not open it?

Can F-Secure detect it without running something

or did the user run the file inside the zip? Was

the wscript.exe called by this or did F-Secure only

detect, that inside the zip there is something which wants

to call wscript.exe?

Is it possible that Chrome can run wscript.exe or a JavaScript JS file

that is calling wscript?

Best Regards 

Ole

JamesC

Hi Ole

Regarding this case, I suggest to submit a case and sample to our detection team

https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample

OGrelck

Hi Jamesch,

we don't have a sample, the download is already deleted

Is it possible to get informations from log files,

which file called wscript or wasn't it called only

a file was detected which.

Ole

OGrelck

Hi,

i could reconstruct the problem.

I used the Chrome DownloadMetadate file to find the downloaded zip.

I downloaded the file in a safe environement and decompressed it.

Inside there was a obfusicated js file, which calls wscript to load

a file from the internet and runs it.

The user has open the zip and clicked the js :-(

Ole

JamesC

Hi Ole

Just to confirm - this is not a product nor detection issue, correct ?