Key information about close.js file
Close.js serves as one of the execution element in the Spora ransomware campaign. Though the latter file-encrypting threat emerged on January 10th, it had already evolved into Spora 2.0 ransomware. Due to an exquisite execution, the malware has already earned the title of “the most sophisticated ransomware.” It attracted attention by offering an elaborate payment site. Recent discoveries reveal that the villains try to spread the malware as a Chrome Font plug-in. Thus, it is necessary to understand how this virus spreads in order to cease it on time. Speaking of the prevention, Google has declared to block .js files as email attachments, the prevalent instrument of ransomware threats, on February. Unfortunately, the cyber villains quickly found a workaround.
In order to avoid prevention measures set by IT experts, the crooks of Spora have enwrapped the file into several layers. They try to deceive users by naming the attached files as invoices or important reports sent by official institutions. Close.js is disguised as a .hta attachment which is placed in a double zipped .zip folder. Once a victim extracts it, itplaces the malevolent file in %TEMP%\close.js folder. In fact, the latter file encompasses two types of files – .docx and .exe. Such peculiarity launches the counterfeited Word document with the message “Word can’t open this document. This document is either corrupt or protected under Rights Management.” Such message is displayed only to misguide users and win time so that they would not interfere with the execution of the malware. Behind this veneer, Spora malware silently starts running its processes. Furthermore, close.js file works in cooperation with .lnk files which activate the worm-like features of the malware. They imitate the existing legitimate system files and folders. They are rooted in the removable drivers and system drive. In short, whenever you surf through the system, you might only speed up Spora infection processes.
When does this file get into a PC?
Mainly, close.js and the main payload of Spora is delivered in a spam email attachment. Thus, it is of utmost importance to stay vigilant and not to rush open any emails even if they claim to be sent by the very FBI. The most recent version, Spora 2.0, includes an updated distribution campaign. The crooks decided to target Chrome users. If they visit an infected domain which contains exploit kit, they will be redirected to the web page full of unreadable text. The notification “TheHoeflerText wasn’t found” urges netizens to enable Chrome Font pack. Instead of the solution, users would enable Spora hijack. Thus, it is crucial not only to arm up with proper security application but to retain common sense and think twice before enabling any plug-ins or installing new applications.
Eliminating the malicious file and the virus
Even if you delete close.js file, it will hardly affect Spora malware. You need to remove all elements of the malware. For that purpose, ReimageIntego or Malwarebytes might be a proper solution. Update the software for it to perform its mission properly. Keep in mind that Spora removal would not decrypt the files. Currently, there is no official decryption software for this malware, but there are alternative methods to retrieve the data. Do not panic if you cannot remove the threat easily. You might need to launch your device in Safe Mode to fully remove Spora virus. You will find detailed instructions in the elimination instructions.