Follow:

 

Win32/Ramdo


Microsoft security software detects and removes this threat.

It disables features of your security software and performs click-fraud.

This threat can get on your PC when you visited a malicious or hacked website that used an exploit kit such as Exploit:HTML/Pangimop.C (also known as Magnitude). It is also downloaded by other malware, such as Win32/Vobfus or Win32/Beebone.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

It drops itself onto your PC as the file %APPDATA%\version.dll. It renames itself as HpM3Util.exe and places itself into the <startup folder> so that it starts every time Windows starts.

It creates certain registry values to store its configuration data. We have seen it modify the following registry entries:

In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Sets value: "tLast_ReadedSpec"
With data: "<encrypted configuration>"

In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Sets value: "tLastCollab_doc"
With data: "<encrypted configuration>"

In subkey: HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM
Sets value: "iTestPropulsion"
With data: "<encrypted configuration>"

In subkey: HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM
Sets value: "iTestShears"
With data: "<encrypted configuration>"

Payload

Disables features of security software

The threat runs one of the following files and injects the version.dll file into them:

This threat injects the version.dll copy into all running 32-bit processes and then tries to unload these DLL files:

  • UMEngx86.dll
  • wl_hook.dll

These files are used by certain security software, so if this threat is successful in unloading these files, your security software won't run properly.

Connects to a server

This threat tries to collect the following information about your PC:

  • What operating system version you're running
  • If it's running in a virtual environment
  • What version of Adobe Flash is installed in your PC
  • How many processors you have in your PC
  • Your PC's GUID

It then tries to send the information to a server with a name generated using a domain generation algorithm that it gets from its configuration information. We have seen the following used:

  • ceigqweqwaywiqgu.org
  • kuyuacgsiowawsqa.org

Depending on commands from the server, it might also do the following on your PC:

  • Update itself
  • Update its configuration (including the URL it uses for click-fraud and the algorithm it uses to create the server it sends information to)
  • Load modules

Performs click-fraud

It performs click-fraud by generating fake clicks to ads on a server it obtains from its configuration information. We have observed it using the following servers:

  • 95.211.193.11 (with referrer starmina.net)
  • searchlitter.com
  • searchwander.com

It also hooks these APIs to hide its click-fraud activities:

  • CoCreateInstance
  • DialogBoxIndirectParamAorW
  • GetCursorPos
  • waveOutOpen
  • waveOutSetVolume

Depending on how many processors you have in your PC, this threat might start one or multiple instances of these files, into which it injects itself for its click-fraud activities:

It also creates these registry values to make browser that does the click-fraud operate in Internet Explorer 9 mode:

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Sets value: "twunk_32.exe"
With data: "9000"
Sets value: "winhlp32.exe"
With data: "9000"

Analysis by Shawn Wang


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
  • You see these entries or keys in your registry:

    In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
    Sets value: "tLast_ReadedSpec"
    With data: "<encrypted configuration>"

    In subkey: HKCU\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
    Sets value: "tLastCollab_doc"
    With data: "<encrypted configuration>"

    In subkey: HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM
    Sets value: "iTestPropulsion"
    With data: "<encrypted configuration>"

    In subkey: HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\IPM
    Sets value: "iTestShears"
    With data: "<encrypted configuration>"


Prevention


Alert level: Severe
This entry was first published on: Jan 16, 2014
This entry was updated on: Apr 22, 2014

This threat is also detected as:
  • BackDoor.Finder.11 (Dr.Web)
  • Win32/Kryptik.BSNW trojan (ESET)
  • Redyms-FDJR!851716E07456 (McAfee)