Follow:

 

TrojanDownloader:Win32/Ogimant.A


Microsoft security software detects and removes this threat.

This threat pretends to help you download items from the Internet. However, instead of downloading the items that you want, it downloads and runs files that are specified by a remote malicious hacker.

You might inadvertently download this threat, not realizing that it will download malware.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat might install itself with the name Xpom.

It might create shortcut files on the desktop with these names:

  • Search the Internet.lnk or ПоисквИнтернет.lnk
  • Classmates.lnk or Одноклассники.lnk
  • Log on the Internet.lnk or Вход в Интернет.lnk
  • Amigo.lnk or Друг.lnk

It might also drop and run other files in the %TEMP% folder, for example:

  • cookie - related to keyword search tracking
  • downloader_tmp - also detected as TrojanDownloader:Win32/Ogimant.A
  • ie.reg
  • mailruupdater.exe
  • mini_installer_inet.exe
  • runprog.exe
  • setup.exe
Distributed via...

Downloads from web sites

You might inadvertently download this file if you're looking for a program that helps you download items, such as pictures or movies, from websites.

We've seen the following websites making this threat available for download:

  • 5floor.by
  • ecosm.by
  • fotostar.by
  • krovlja.by
  • megaimport.by
  • nzga.by
  • ofis.by
  • otr.by
  • royalcity.by

It can also be downloaded from these IP addresses:

  • 93.125.99.15
  • 93.125.99.16
  • 93.125.99.17
  • 93.125.99.35
  • 93.125.99.38

Note that both of these lists are not exhaustive.

Payload

Downloads other files

TrojanDownloader:Win32/Ogimant.A downloads files based on a configuration file that it gets from a remote server. We've seen some of these configuration files being hosted on:

  • dwmldr.ru
  • horses.super-goldcolds.ru

If you ask it to help you download a file or program, it downloads a file that may or may not be the file that you want. In some cases, it might be the actual file. In others, it might be malware.

We have seen it download copies of itself.

Changes browser home page

TrojanDownloader:Win32/Ogimant.A might change your browser start page. We have seen it changing it to http://mail.ru, although the URL may change, depending on what file or program it tries to download.

Other information

This threat uses a certificate issued to RU, Moscow, Moscow, LLC Mail.Ru, LLC Mail.Ru. This certificate might be false to make the threat look legitimate.

The social engineering techniques it uses are similar to those used by the Win32/Pameseg family as discussed in the MMPC blog post Fake apps: Behind the effective social strategy of fraudulent paid-archives.

Additional information

For more information on this threat, see the following:

Analysis by Methusela Cebrian Ferrer


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these shortcut files on your desktop:
    • Search the Internet.lnk or ПоисквИнтернет.lnk
    • Classmates.lnk or Одноклассники.lnk
    • Log on the Internet.lnk or Вход в Интернет.lnk
    • Amigo.lnk or Друг.lnk

Prevention


Alert level: Severe
First detected by definition: 1.169.799.0
Latest detected by definition: 1.191.1016.0 and higher
First detected on: Mar 25, 2014
This entry was first published on: Apr 11, 2014
This entry was updated on: Aug 22, 2014

This threat is also detected as:
No known aliases