Home / malwarePDF  

TrojanDownloader:Win32/Ogimant.A


First posted on 05 May 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Ogimant.A.

Explanation :

Threat behavior

Installation

This threat might install itself with the name mail.ru or Xpom.

It might create shortcut files on the desktop with these names:

  • Search the Internet.lnk or ПоисквИнÑ‚еÑ€неÑ‚.lnk
  • Classmates.lnk or Одноклассники.lnk
  • Log on the Internet.lnk or ÐÂ’Ñ…од в ИнÑ‚еÑ€неÑ‚.lnk
  • Amigo.lnk or Друг.lnk


It might also drop and run other files in the %TEMP% folder, for example:

  • cookie - related to keyword search tracking, for example, strings "/search?q=&... =p_profitraf2"
  • downloader_tmp - also detected as TrojanDownloader:Win32/Ogimant.A
  • ie.reg
  • mailruupdater.exe
  • mini_installer_inet.exe
  • runprog.exe
  • setup.exe


Distributed via...

Downloads from web sites

You might inadvertently download this file if you're looking for a download helper program.

We've seen the following websites making this threat available for download:

  • 5floor.by
  • ecosm.by
  • fotostar.by
  • krovlja.by
  • megaimport.by
  • nzga.by
  • ofis.by
  • otr.by
  • royalcity.by


It can also be downloaded from these IP addresses:

  • 93.125.99.15
  • 93.125.99.16
  • 93.125.99.17
  • 93.125.99.35
  • 93.125.99.38


Note that both of these lists are not exhaustive.

Payload

Downloads other files

TrojanDownloader:Win32/Ogimant.A downloads files based on the XML configuration file passed to it by a remote server. We've seen some of these configuration files being hosted on:

  • dwmldr.ru
  • horses.super-goldcolds.ru
  • profitraf.ru - download referrer


If you ask it to help you download a certain program, it downloads a file that may or may not be the actual program that you want. In some cases, it might be the acatual file. In others, it might not be a copy of the legitimate program.

Changes browser home page

TrojanDownloader:Win32/Ogimant.A might change your browser start page to http://mail.ru.

Other information

This threat uses a certificate issued to RU, Moscow, Moscow, LLC Mail.Ru, LLC Mail.Ru.

The social engineering techniques it uses are similar to those used by the Win32/Pameseg family as discussed in this blog post.



Analysis by Methusela Cebrian Ferrer

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these shortcut files on your desktop:
    • Search the Internet.lnk or ПоисквИнÑ‚еÑ€неÑ‚.lnk
    • Classmates.lnk or Одноклассники.lnk
    • Log on the Internet.lnk or ÐÂ’Ñ…од в ИнÑ‚еÑ€неÑ‚.lnk
    • Amigo.lnk or Друг.lnk

Last update 05 May 2014

 

TOP

Malware :

Family: