Domflash.ru is a scheming website which makes presentations of forged Adobe Flash Player updates and spreads Flash-2017.js file. Domflash will splash your screen after self-regulating redirection will lead you into it. Firstly, the website will display a window with the following text: “To view this site you need to upgrade your Flash Player, simply click OK to download the setup utility and follow the instructions. After the navigation update site normally follow”. For some of the recipients, access to other tabs was blocked and they were forced to click “Close” button. However, the website takes this as an agreement to install the suggested update and Flash-2017.js is quickly implanted into an operating system. According to the complemented analysis of this file, we discovered that it is labeled as a highly malicious Troj.Script.Agent.
WARNING: Flash-2017.js is extremely dangerous
The malicious executable, distributed via Domflash.ru, has been determined to be programmed to contain features of elevating privileges, impersonating another user on the local machine and gaining lookup privileges. Also, malicious artifacts were noticed in the context of the contacted host. It is also capable of automatically turning on operating systems or restarting them. Also, the file connects to host without prior DNS lookup. Script executables also display a great deal of harmful activity.
Premiumcobrancas.trade/Boleto_Premium_Cobrancas_Janeiro_2017_Cliente and Assinaturacontratoa.host/ContratoAssinar are indicated as the associated links. We are also to call this file a Banking Trojan as analysis implies that it functions as a spyware infection. The malicious file can monitor your incoming connections, open clipboards and record combinations that you type in via a keyboard. Surprisingly, this Trojan can even choose which files to destroy.
Infection was also indicated to contact two host. IP addresses 126.96.36.199 and 188.8.131.52 both indicate that the spyware connects with hackers from Chile. Two files are labeled as associated with this connection: wscript.exe and 7za.exe. Furthermore, not only these two executables are extracted by Flash-2017.js. In AppData, malicious food.exe will be noticed and one of its possible functions is to delete files. Int he same folder, cosme.a3x is placed. Infortunately, these are not only files that compromise the affected operating system. If you have been introduced to Domflash.ru website, please check that this Trojan would not be currently stealing your credentials.
If you allow this process to remain running in your Windows Task Manager, you could suffer from financial losses when your credit card balance will hit zero. Additionally, this Trojan also could commit identity theft. If none of these scenarios sound pleasant, scan your device from malware by using reliable security tools.
Reimage, Spyhunter or Plumbytes will surely detect a Trojan and indicate it as highly detrimental. After that, it will benevolently assist you in the removal of this malware. Since Flash-2017.js will extract a bunch of malicious executables, you are instructed to use anti-malware tools. We express concerns that manual removal could not be enough to remove every threat.
How do Trojans transmit?
Trojans can end up in operating systems after users are deceived into downloading malicious executables. In this case, the source of harmful activity was installed automatically after people were redirected to Domflash.ru website. By posing as a Flash Player, file is expected to be regarded as insignificant and harmless. However, it will initiate a number of secretive procedures that will all be focused either with infecting you with additional malware or extracting personally-identifiable information about clueless surfers.
Trojans won’t show any significant signs, suggesting that an operating system has been invaded. Slight crashes or freezes are possible. In worst cases, a Trojan can implant a payload of a ransomware which will encrypt all of your digital data and demand a fee for decryption. Avoid visiting unknown websites and if redirection redirects you to an unknown website, please avoid clicking on it.