Jump to content

Recommended Posts

Posted (edited)

Hello, I did some research on the file GuardMailRu.exe and in this site (respecively: habrahabr.ru/post/149636/ ) it says that it adds a toolbar to IE, Firefox and Opera browsers, which I can confirm since 1 account on this machine (respectively the one that installed something that I'm unaware of which also installed the toolbar) has the toolbar on IE, Firefox and Opera. I hope that you can inspect these files and possibly find a solution.

P.S. The file runs on the System privilege level and when i tried to terminate the program it executed (approx.) 3000 more executables with the same filename. I sent an archive with these files for inspection. The installation folder consisted of these branches.
CASE SENSITIVE
Mail.ru-----Guard-------GuardMailRu.exe
           |                   |__GuardMailRu.dll

          Sputnik

           |____mailrusputnik.exe

           |____MailRuSputnik.dll

           |____SputnikFlashPlayer.exe


For some reason it doesn't allow me to upload the files, but I sent them for inspection.

Edited by dwomack
please do not link to potentially malicious sites. You gave a warning but some users may click anyways unknowingly. Thank you.
Posted

The file submission failed for mailrusputnik.exe .

  • Former ESET Employees
Posted

Because the forum is public, we've restricted the ability to upload potentially malicious files to the site and we discourage posting links to potentially harmful sites. Thanks for emailing the file. Where did you email the file to?

Posted

Senzorei.

I did a few hours of research for you :)

According to lavasoft your virus is called a variant of win32/loadmoney

hxxp://lavasoft.com/mylavasoft/securitycenter/whitepapers/lavasoft-security-bulletin-july-2013

Eset detects some variants of this. If you havent ran a full scan with nod32, i would give it a shot.

If it does not work. Post back here and ill assist in removal.

I have all the info i require to build you a batch file for removal or a vbs.

Good luck :)

Posted

I ran a scan on the files before posting, it did not detect anything. I will try to run a scan now, even though the process GuardMailRu.exe is in memory, it does not detect it.

Posted

If you would like to tackle it yourself try starting here :

hxxp://greatis.com/appdata/d/PROGRAM_FILES/m/mail.ru_sputnik_sputnikflashplayer.exe.htm

Only "do not download unhackme ". I am unaware of its legitimacy.

File location on part of it is there. :)

I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work.

Posted

Because the forum is public, we've restricted the ability to upload potentially malicious files to the site and we discourage posting links to potentially harmful sites. Thanks for emailing the file. Where did you email the file to?

I sent them to samples@eset.com .

Posted

 

If you would like to tackle it yourself try starting here :

hxxp://greatis.com/appdata/d/PROGRAM_FILES/m/mail.ru_sputnik_sputnikflashplayer.exe.htm

Only "do not download unhackme ". I am unaware of its legitimacy.

File location on part of it is there. :)

I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work.

 

 

 

Its not about trusting or not. Its in plain view :

 

 

Manual removal instructions:

Antivirus Report of %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE:

%PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Win32.HeurC.KVM019.a.(kcloud) %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Dangerous %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE High Risk
%program files%\mail.ru\sputnik\sputnikflashplayer.exe We suggest you to remove SPUTNIKFLASHPLAYER.EXE from your computer as soon as possible.

SPUTNIKFLASHPLAYER.EXE is known as: Win32.HeurC.KVM019.a.(kcloud)

MD5 of SPUTNIKFLASHPLAYER.EXE = 551054755de3fb70c82766da9a84e8a7

SPUTNIKFLASHPLAYER.EXE size is 601120 bytes.

Full path on a computer: %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE

Related Files:

C:\Documents and Settings\All Users\Favorites\Mail.Ru.url

%Program Files%\Mail.Ru\Guard\GuardMailRu.exe

%Program Files%\Mail.Ru\Sputnik\MailRuSputnik.dll

%Program Files%\Mail.Ru\Sputnik\mailrusputnik.exe

%Program Files%\Mail.Ru\Sputnik\SputnikFlashPlayer.exe  

 

  So check if the files are there or not. If they aren't, its a false website or a different version of the virus If they are, start removal process.

Clean registry after the fact. If you need help just ask. I will remote in and clean it for you :)

 

Or make a batch file based on what needs to be removed. :)

Posted

 

Because the forum is public, we've restricted the ability to upload potentially malicious files to the site and we discourage posting links to potentially harmful sites. Thanks for emailing the file. Where did you email the file to?

I sent them to samples@eset.com .

 

 

Good job !

This is always needed and helpful to our AV vendor !!

Posted

 

 

If you would like to tackle it yourself try starting here :

hxxp://greatis.com/appdata/d/PROGRAM_FILES/m/mail.ru_sputnik_sputnikflashplayer.exe.htm

Only "do not download unhackme ". I am unaware of its legitimacy.

File location on part of it is there. :)

I checked the site on MyWOT (extension that allows you to see comments and ratings for the webpage) and it seems to provide some false information so i wouldn't trust it that much. I will give it a try if the scan doesn't work.

 

 

 

Its not about trusting or not. Its in plain view :

 

 

Manual removal instructions:

Antivirus Report of %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE:

%PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Win32.HeurC.KVM019.a.(kcloud) %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE Dangerous %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE High Risk
%program files%\mail.ru\sputnik\sputnikflashplayer.exe We suggest you to remove SPUTNIKFLASHPLAYER.EXE from your computer as soon as possible.

SPUTNIKFLASHPLAYER.EXE is known as: Win32.HeurC.KVM019.a.(kcloud)

MD5 of SPUTNIKFLASHPLAYER.EXE = 551054755de3fb70c82766da9a84e8a7

SPUTNIKFLASHPLAYER.EXE size is 601120 bytes.

Full path on a computer: %PROGRAM FILES%\MAIL.RU\SPUTNIK\SPUTNIKFLASHPLAYER.EXE

Related Files:

C:\Documents and Settings\All Users\Favorites\Mail.Ru.url

%Program Files%\Mail.Ru\Guard\GuardMailRu.exe

%Program Files%\Mail.Ru\Sputnik\MailRuSputnik.dll

%Program Files%\Mail.Ru\Sputnik\mailrusputnik.exe

%Program Files%\Mail.Ru\Sputnik\SputnikFlashPlayer.exe  

 

  So check if the files are there or not. If they aren't, its a false website or a different version of the virus If they are, start removal process.

Clean registry after the fact. If you need help just ask. I will remote in and clean it for you :)

 

Or make a batch file based on what needs to be removed. :)

 

 

The MD5 hash is a mismatch, so is the filesize. The MD5 hash of sputnikflashplayer.exe is 8d2e41b2b917b361c50b74db271d31b9 with a filesize of 595560 bytes (598016 bytes on disk), while the other sputnikflashplayer.exe (the one in the link you sent me) MD5 is 551054755de3fb70c82766da9a84e8a7 with a filesize of 601120 bytes. I am not sure as to whether remove these files (since it's a mismatch) or to do so.

Posted

Sorry for the late reply, I forget about this :P .

Posted

Sorry for the late reply, I forget about this :P .

 

No its ok

 

Its just possible it may be a different variant of sputnik

 

There are many many many versions floating around.

 

Thanks Senz !! :)

Posted

 

Sorry for the late reply, I forget about this :P .

 

No its ok

 

Its just possible it may be a different variant of sputnik

 

There are many many many versions floating around.

 

Thanks Senz !! :)

 

 

You're welcome :) .

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...