Installation
This threat might install itself with the name Xpom.
It might create shortcut files on the desktop with these names:
-
Search the Internet.lnk
or ПоисквИнтернет.lnk
-
Classmates.lnk
or Одноклассники.lnk
-
Log on the Internet.lnk
or Вход в Интернет.lnk
-
Amigo.lnk
or Друг.lnk
It might also drop and run other files in the %TEMP% folder, for example:
-
cookie
- related to keyword search tracking
-
downloader_tmp
- also detected as TrojanDownloader:Win32/Ogimant.A
-
ie.reg
-
mailruupdater.exe
-
mini_installer_inet.exe
-
runprog.exe
-
setup.exe
Distributed via...
Downloads from web sites
You might inadvertently download this file if you're looking for a program that helps you download items, such as pictures or movies, from websites.
We've seen the following websites making this threat available for download:
-
5floor.by
-
ecosm.by
-
fotostar.by
-
krovlja.by
-
megaimport.by
-
nzga.by
-
ofis.by
-
otr.by
-
royalcity.by
It can also be downloaded from these IP addresses:
-
93.125.99.15
-
93.125.99.16
-
93.125.99.17
-
93.125.99.35
-
93.125.99.38
Note that both of these lists are not exhaustive.
Payload
Downloads other files
TrojanDownloader:Win32/Ogimant.A downloads files based on a configuration file that it gets from a remote server. We've seen some of these configuration files being hosted on:
-
dwmldr.ru
-
horses.super-goldcolds.ru
If you ask it to help you download a file or program, it downloads a file that may or may not be the file that you want. In some cases, it might be the actual file. In others, it might be malware.
We have seen it download copies of itself.
Changes browser home page
TrojanDownloader:Win32/Ogimant.A might change your browser start page. We have seen it changing it to http://mail.ru, although the URL may change, depending on what file or program it tries to download.
Other information
This threat uses a certificate issued to RU, Moscow, Moscow, LLC Mail.Ru, LLC Mail.Ru. This certificate might be false to make the threat look legitimate.
The social engineering techniques it uses are similar to those used by the Win32/Pameseg family as discussed in the MMPC blog post Fake apps: Behind the effective social strategy of fraudulent paid-archives.
Additional information
For more information on this threat, see the following:
Analysis by Methusela Cebrian Ferrer