Senzorei 3 Posted August 19, 2013 Posted August 19, 2013 (edited) Hello, I did some research on the file GuardMailRu.exe and in this site (respecively: habrahabr.ru/post/149636/ ) it says that it adds a toolbar to IE, Firefox and Opera browsers, which I can confirm since 1 account on this machine (respectively the one that installed something that I'm unaware of which also installed the toolbar) has the toolbar on IE, Firefox and Opera. I hope that you can inspect these files and possibly find a solution.P.S. The file runs on the System privilege level and when i tried to terminate the program it executed (approx.) 3000 more executables with the same filename. I sent an archive with these files for inspection. The installation folder consisted of these branches.CASE SENSITIVEMail.ru-----Guard-------GuardMailRu.exe | |__GuardMailRu.dll Sputnik |____mailrusputnik.exe |____MailRuSputnik.dll |____SputnikFlashPlayer.exeFor some reason it doesn't allow me to upload the files, but I sent them for inspection. Edited August 20, 2013 by dwomack please do not link to potentially malicious sites. You gave a warning but some users may click anyways unknowingly. Thank you.
Senzorei 3 Posted August 19, 2013 Author Posted August 19, 2013 The file submission failed for mailrusputnik.exe .
Senzorei 3 Posted August 19, 2013 Author Posted August 19, 2013 Update: I sent the files through email.
Former ESET Employees dwomack 161 Posted August 20, 2013 Former ESET Employees Posted August 20, 2013 Because the forum is public, we've restricted the ability to upload potentially malicious files to the site and we discourage posting links to potentially harmful sites. Thanks for emailing the file. Where did you email the file to?
Arakasi 549 Posted August 21, 2013 Posted August 21, 2013 Senzorei. I did a few hours of research for you According to lavasoft your virus is called a variant of win32/loadmoney hxxp://lavasoft.com/mylavasoft/securitycenter/whitepapers/lavasoft-security-bulletin-july-2013 Eset detects some variants of this. If you havent ran a full scan with nod32, i would give it a shot. If it does not work. Post back here and ill assist in removal. I have all the info i require to build you a batch file for removal or a vbs. Good luck
Arakasi 549 Posted August 21, 2013 Posted August 21, 2013 (edited) If you would like to tackle it yourself try starting here : hxxp://greatis.com/appdata/d/PROGRAM_FILES/m/mail.ru_sputnik_sputnikflashplayer.exe.htm Only "do not download unhackme ". I am unaware of its legitimacy. File location on part of it is there. Edited August 21, 2013 by Arakasi
Senzorei 3 Posted August 23, 2013 Author Posted August 23, 2013 I ran a scan on the files before posting, it did not detect anything. I will try to run a scan now, even though the process GuardMailRu.exe is in memory, it does not detect it.
Senzorei 3 Posted August 23, 2013 Author Posted August 23, 2013 If you would like to tackle it yourself try starting here : hxxp://greatis.com/appdata/d/PROGRAM_FILES/m/mail.ru_sputnik_sputnikflashplayer.exe.htm Only "do not download unhackme ". I am unaware of its legitimacy. File location on part of it is there. I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work.
Senzorei 3 Posted August 23, 2013 Author Posted August 23, 2013 Because the forum is public, we've restricted the ability to upload potentially malicious files to the site and we discourage posting links to potentially harmful sites. Thanks for emailing the file. Where did you email the file to? I sent them to samples@eset.com .
Arakasi 549 Posted August 24, 2013 Posted August 24, 2013 If you would like to tackle it yourself try starting here : hxxp://greatis.com/appdata/d/PROGRAM_FILES/m/mail.ru_sputnik_sputnikflashplayer.exe.htm Only "do not download unhackme ". I am unaware of its legitimacy. File location on part of it is there. I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work. Its not about trusting or not. Its in plain view : Manual removal instructions: Antivirus Report of %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE: %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Win32.HeurC.KVM019.a.(kcloud) %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Dangerous %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE High Risk %program files%\mail.ru\sputnik\sputnikflashplayer.exe We suggest you to remove SPUTNIKFLASHPLAYER.EXE from your computer as soon as possible. SPUTNIKFLASHPLAYER.EXE is known as: Win32.HeurC.KVM019.a.(kcloud) MD5 of SPUTNIKFLASHPLAYER.EXE = 551054755de3fb70c82766da9a84e8a7 SPUTNIKFLASHPLAYER.EXE size is 601120 bytes. Full path on a computer: %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Related Files: C:\Documents and Settings\All Users\Favorites\Mail.Ru.url %Program Files%\Mail.Ru\Guard\GuardMailRu.exe %Program Files%\Mail.Ru\Sputnik\MailRuSputnik.dll %Program Files%\Mail.Ru\Sputnik\mailrusputnik.exe %Program Files%\Mail.Ru\Sputnik\SputnikFlashPlayer.exe So check if the files are there or not. If they aren't, its a false website or a different version of the virus If they are, start removal process.Clean registry after the fact. If you need help just ask. I will remote in and clean it for you Or make a batch file based on what needs to be removed.
Arakasi 549 Posted August 24, 2013 Posted August 24, 2013 Because the forum is public, we've restricted the ability to upload potentially malicious files to the site and we discourage posting links to potentially harmful sites. Thanks for emailing the file. Where did you email the file to? I sent them to samples@eset.com . Good job ! This is always needed and helpful to our AV vendor !!
Senzorei 3 Posted August 29, 2013 Author Posted August 29, 2013 If you would like to tackle it yourself try starting here : hxxp://greatis.com/appdata/d/PROGRAM_FILES/m/mail.ru_sputnik_sputnikflashplayer.exe.htm Only "do not download unhackme ". I am unaware of its legitimacy. File location on part of it is there. I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work. Its not about trusting or not. Its in plain view : Manual removal instructions: Antivirus Report of %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE:%PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Win32.HeurC.KVM019.a.(kcloud) %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Dangerous %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE High Risk %program files%\mail.ru\sputnik\sputnikflashplayer.exe We suggest you to remove SPUTNIKFLASHPLAYER.EXE from your computer as soon as possible.SPUTNIKFLASHPLAYER.EXE is known as: Win32.HeurC.KVM019.a.(kcloud) MD5 of SPUTNIKFLASHPLAYER.EXE = 551054755de3fb70c82766da9a84e8a7 SPUTNIKFLASHPLAYER.EXE size is 601120 bytes. Full path on a computer: %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Related Files: C:\Documents and Settings\All Users\Favorites\Mail.Ru.url %Program Files%\Mail.Ru\Guard\GuardMailRu.exe %Program Files%\Mail.Ru\Sputnik\MailRuSputnik.dll %Program Files%\Mail.Ru\Sputnik\mailrusputnik.exe %Program Files%\Mail.Ru\Sputnik\SputnikFlashPlayer.exe So check if the files are there or not. If they aren't, its a false website or a different version of the virus If they are, start removal process.Clean registry after the fact. If you need help just ask. I will remote in and clean it for you Or make a batch file based on what needs to be removed. The MD5 hash is a mismatch, so is the filesize. The MD5 hash of sputnikflashplayer.exe is 8d2e41b2b917b361c50b74db271d31b9 with a filesize of 595560 bytes (598016 bytes on disk), while the other sputnikflashplayer.exe (the one in the link you sent me) MD5 is 551054755de3fb70c82766da9a84e8a7 with a filesize of 601120 bytes. I am not sure as to whether remove these files (since it's a mismatch) or to do so.
Senzorei 3 Posted August 29, 2013 Author Posted August 29, 2013 Sorry for the late reply, I forget about this .
Arakasi 549 Posted August 29, 2013 Posted August 29, 2013 Sorry for the late reply, I forget about this . No its ok Its just possible it may be a different variant of sputnik There are many many many versions floating around. Thanks Senz !!
Senzorei 3 Posted August 30, 2013 Author Posted August 30, 2013 Sorry for the late reply, I forget about this . No its ok Its just possible it may be a different variant of sputnik There are many many many versions floating around. Thanks Senz !! You're welcome .
Recommended Posts