Trojan:Win32/CoinMiner.C!rfn

edited June 6, 2020
Apparently, Windows Defender Antivirus has detected the Trojan:Win32/CoinMiner.C!rfn in the following file path C:\Users\***\Zotero\storage\8LILIY9S\counter.js

This has - to my knowledge - not come up at the other computers that I use.

How can I identify the associated entry in Zotero?

I found it. It's the following.

Raza, Sheeraz. ‘Global Value: Does the Cape Ratio Work Globally?’ ValueWalk (blog), 20 March 2014. https://www.valuewalk.com/2014/03/global-value-meb-faber/.

  • The folder name is the item key. Paste 8LILIY9S into the search bar in All Fields & Tags mode, delete the attachment, and empty the trash.
  • Thanks for your quick response, @dstillman !

    How is it possible that by saving a blog post I might get a malacious JS-Script on my computers? Or could it be a false positive? Anyway, I would like to understand better how JS-Scripts can be saved to my HDD with the Zotero FF connector and how they might be malicious. Thanks in advance for sharing your insight.
  • The blog page likely had a coin miner embedded in it. When you save a snapshot, Zotero just saves the page the same was as if you right-clicked and chose "Save As" for the page. It won't do anything unless you open the snapshot in your browser (the same behavior as when you visit the blog page on the web). I suggest you install a coin miner blocker in your browser (e.g., NoCoin or the "Block Coin Miners" list in uBlock Origin).
  • The site was compromised, and you saved a snapshot of the page contents to Zotero. It's exactly the same as your browsing to that site and then using File → Save Page As in your browser.

    It's unlikely to be much of a threat — in this case, it's a cryptocurrency miner that uses your computer's processing power to generate bitcoins (or similar) while you're viewing a webpage. When you leave the page, it stops.

    We're going to be changing the way snapshots work soon to strip JavaScript and save fully static pages to Zotero, which should avoid this problem (and other JavaScript junk — interactive ads, etc.) in general.
  • I'm glad you're getting rid of the JavaScript junk.

    Thanks for the info!
  • edited June 8, 2020
    When only four anti-virus engine recognise counter.js as malicious might it then be a false positive?

    See: https://www.virustotal.com/gui/file/31b819377de193d2ff6e0fe48959edf1456288a02cb0f0ae312386b05b39336d/detection
  • That's really beyond the scope of Zotero support -- if you're interested in details, you can follow up on a generalist or security related forum, but FWIW, I doubt this is a false positive. cryptominers are common and not that hard to detect.
Sign In or Register to comment.