Home / malwarePDF  

Adware:Win32/Rugo


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

Adware:Win32/Rugo is also known as Also Known As:Adware.Rugo (Symantec), Adware_PigSearch / Adware_WSearch (Trend Micro), Win32/Adware.WSearch (ESET), Trojan.Agent.Bho.K (BitDefender), Adware.WSearch.Y (VirusBuster), not-a-virus:AsWare.Win32.WSearch.o (Kaspersky).

Explanation :

Adware:Win32/Rugo is a program that installs silently on the user's computer and displays advertisements.

Symptoms
System ChangesThe following system changes may indicate the presence of Adware:Win32/Rugo:

  • Presence of the following files:
    "%temp%ofang.dll"
    "%temp%
    ginstall.dll"
    "%temp%usb8028.sys"
    "%temp%usb8028x.sys"
    "%temp%hbcmd.dll"
    "%temp%lfrmewrk.exe"
    "<system folder> mp334.tmp"
    "<system folder>ofang.dll"
    "<system folder> mp333.tmp"
    "<system folder>hbcmd.dll"
    "<system folder> mp335.tmp"
    "<system folder>lfrmewrk.exe"
    "<system folder>driversusb8028.sys"
    "<system folder>driversusb8028x.sys"
    "<system folder>msrundll.exe"
    "<system folder>[random_4digits].dll"
    "%windir%[random_5digits].dat"
    "<system folder>[random_4digits].dll"
    "%windir%[random_5digits].cfg"
    "<system folder>[random_4digits].exe"
    "%windir%[random_4digits].avi"
    "<system folder>[random_4digits].dll"
    "%windir%[random_5digits].jpg"


    • Adware:Win32/Rugo is a program that installs silently on the user's computer and displays advertisements.

    Installation
    When executed, Adware:Win32/Rugo performs the following actions:
  • Drops file to "<system folder>-4-1283564"
  • Drops file to "%windir%1.tmp". This file is a NullSoft Installer.
  • Silently installs the previous dropped installer by running:
    C:WINDOWS1.tmp /S
  • Deletes itself, by running:
    C:WINDOWSsystem32cmd.exe /c del <malware_file>
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. The installer performs the following actions:
  • Drops the following files:
    "%temp%ofang.dll"
    "%temp%
    ginstall.dll"
    "%temp%usb8028.sys"
    "%temp%usb8028x.sys"
    "%temp%hbcmd.dll"
    "%temp%lfrmewrk.exe"
    "<system folder> mp334.tmp"
    "<system folder>ofang.dll"
    "<system folder> mp333.tmp"
    "<system folder>hbcmd.dll"
    "<system folder> mp335.tmp"
    "<system folder>lfrmewrk.exe"
    "<system folder>driversusb8028.sys"
    "<system folder>driversusb8028x.sys"
    "<system folder>msrundll.exe"
    "<system folder>[random_4digits].dll"
    "%windir%[random_5digits].dat"
    "<system folder>[random_4digits].dll"
    "%windir%[random_5digits].cfg"
    "<system folder>[random_4digits].exe"
    "%windir%[random_4digits].avi"
    "<system folder>[random_4digits].dll"
    "%windir%[random_5digits].jpg"
  • Launches:
    regsvr32.exe /u /s <system folder>HelpIE.dll
    regsvr32.exe /s <system folder>hbcmd.dll
    <system folder>lfrmewrk.exe -i
    <system folder>lfrmewrk.exe -s
    <system folder>MSRundll.exe <system folder>ofang.dll,Always
    • Adware:Win32/Rugo deploys a driver to hide its files and to protect its registry modifications. Some variants may not use this feature. The threat uses Browser Helper Objects (BHOs) to display advertising. This content is retrieved from the domain 777.boolans.com. Each successful installation is logged by contacting http://ccc.boolans.com/*****/38sw.e?uid=[unique_user_id]
    *Note: This URL has been modified.

    Last update 04 February 2009

     

    TOP

    Malware :