F-Secure DeepGuard alarm and wscript.exe
we got a F-Secure DeepGuard alarm today.
The User told me he download a zip file with Google Chrome,
in which should be a word document.
He said he deleted the zip file an did not open
it. Attached some screenshots from F-Secure.
The question is, is it true that he did not open it?
Can F-Secure detect it without running something
or did the user run the file inside the zip? Was
the wscript.exe called by this or did F-Secure only
detect, that inside the zip there is something which wants
to call wscript.exe?
that is calling wscript?
Regarding this case, I suggest to submit a case and sample to our detection team
i could reconstruct the problem.
I used the Chrome DownloadMetadate file to find the downloaded zip.
I downloaded the file in a safe environement and decompressed it.
Inside there was a obfusicated js file, which calls wscript to load
a file from the internet and runs it.
The user has open the zip and clicked the js :-(