Box Status

Windows Security Reporting Multiple Trojans Appearing in Box Cache Folder, Possibly tied to Sync Function

Follow
New post
j zz

This is occurring on two computers (fully updated Windows 10 and fully updated Windows 11) both using the most recent version of Box Drive and both sharing a number of folders through Box Drive.  

The reported trojan is:  Trojan:JS/Obfuse!MSR

When Box Drive is exchanging files, Windows reports a new instance of the trojan several times a minute (see example screen capture attached). If I close Box Drive or disconnect the computer from the internet, Windows Security stops reporting new instances of the trojan.  

So, an obvious question is whether Windows Security is misidentifying box cache files as trojans.  Another obvious possibility is that the trojan is being injected into Box cache files.  

This began today.   Previously there was never a reported occurrence of malware on either computer. 

Yesterday, I put both computers on the newest version of Box Drive.  They were previously sharing folders with one using Box Sync (W10) and the other using Box Drive (W11).   In the last few days, sync between the two computers was not working quickly; so, I put both onto the newest version of Box Drive hoping that would fix it.  

Yesterday, I also saved a number of web pages as references for upcoming travel, to the shared Box folders, and had opened and viewed some of them this morning on the W10 computer.  

The problem first appeared on the W10 computer.  Suspecting Box might have transferred the trojan from one computer to the other, I checked the W11 computer and Windows Security now says it has infected box cache files.  Likewise, if it is connected to the internet and Box Drive is open, Windows security regularly reports infected Box cache files. 

I'd appreciate any thoughts on this problem and suggestions anyone has on how to eliminate the problem if the computer now has malware.  It seems to be reloading the malware as Box Drive is syncing files. 

Note, scans of all user folders including AppData and full C drive scans with Windows Security and MalwareBytes do not show other instances of Malware once I’ve removed with via Windows Security and Box Drive is no longer actively connected to the internet and syncing.  

Screen Capture:  

 

 

 

1

Comments

2 comments

Date Votes
  • j zz

    Update:  Scanned with Virus Total and Microsoft Online Tools.  Both report malware.  See below.  

    After more observation, this is consistently happening when Box Drive is syncing files.

    OK, here are both the VirusTotal and Microsoft Scan Results. Virus Total shows 23 of 60 vendors labeling it Malware. Details below.

    VT Link: https://www.virustotal.com/gui/file/59e25f90d720c4f220ec4052920bc154385877f0d138976e1e378eca68499731/details

    Copy of details from VT, MS analysis at end.

    Basic properties

    MD5

    971921c91ab4daadf02c7e81010c657f

    SHA-1

    63677cef8025ef04a309e738d6eba1a5d96fc8ab

    SHA-256

    59e25f90d720c4f220ec4052920bc154385877f0d138976e1e378eca68499731

    Vhash

    ddd469b184d2f1bea951050029f6908f

    SSDEEP

    1536:F9U6muzg9fruXDjI59+Wz2yjf6atoyHoFhtrv:FBM9DunmLCFjy+trv

    TLSH

    T14D63848073C4BC92164B5B777717F4E5E87A5DACB484888AFA00BC44F1BDA26FAE4570

    File type

    JavaScript

    source

    javascript

    js

    Magic

    ASCII text, with very long lines (65536u), with no line terminators

    TrID

    file seems to be plain text/ASCII (0%)

    File size

    67.47 KB (69085 bytes)

    History

    First Submission

    2023-09-28 00:58:36 UTC

    Last Submission

    2023-10-05 20:09:01 UTC

    Last Analysis

    2023-10-05 18:44:55 UTC

    Names

    • get.js

    • 5901fc20-ec90-4e83-97f1-276ff442e44e

    • 0744c3ac-2efd-4a6b-bfe2-4f28e3a89e1d

    • 02d3f5a8-e134-40fd-ad1a-8b7706d951ad

    • cdn.js

    • post.js

    • step.js

    • start.js

    • post.listwithstats.com_post.js

    • page.listwithstats.com_stats_start.js

    Javascript info

    • charCodeAt

    • malformed

    • fromCharCode

    MS Results:

    Submission details

    6135d5d1-7898-4f90-ad94-1341d5a1f142

    Submission ID: 4d340cc4-97b3-48e3-8d25-0eb37be8165b

    Status: Submitted

    Submitted by: jonathan.zaremski@outlook.com

    Submitted: Oct 5, 2023 3:29:00 PM

    User Opinion: Incorrect detection

    Analyst comments:

    No analyst comment provided.

    ________________________________________

    Rescan submission

    Last rescan request: Oct 5, 2023 3:29:00 PM

    Rescan submission

    Search by file name

    Search

    Filter by determination

    Filter by determination

    Showing 1 of 1 entries

    File name Final determination Protection Current detection Definition version

    6135d5d1-7898-4f90-ad94-1341d5a1f142

    / Malware Cloud

    ________________________________________ Client Trojan:JS/Obfuse!MSR

    ________________________________________

    Trojan:JS/Obfuse!MSR

    Online

    ________________________________________1.399.71.0

     

    0
    Comment actions Permalink
  • j zz

    This is pretty troubling and I'm surprised that no one from Box Support has responded. 

    Is this a common issue with Box Sync and NOT a virus/trojan problem?   On doing internet searches, I see that dropbox has a similar issue and their support team posted that it is part of their sync process and that their sync files are being misidentified as virus/trojans. 

    OR in this case, is it possible that Box Sync's process have been corrupted and a virus/trojan is being injected?

    Either way, shouldn't Box respond? 

     

    0
    Comment actions Permalink

Please sign in to leave a comment.