Home / malwarePDF  

Win32/Rongvhin


First posted on 12 October 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Rongvhin.

Explanation :

Threat behavior

Win32/Rongvhin is a family of malware that perpetrates click fraud. It might arrive in your PC via hack tools for the CrossFire game.

Installation

Rongvhin contains a dropper component (for example, TrojanDropper:Win32/Rongvhin.A) that might arrive in your computer as part of hack tools for the Crossfire game. It usually has the file name xtrap.xt.

The dropper component drops the main click fraud component. This component might use any of the following file names:

  • %windir%\adsminirun.exe
  • %windir%\adsminirun2.exe
  • %windir%\ads.exe
  • %windir%\ads1.exe
  • %windir%\ads2.exe
  • %windir%\ads3.exe
  • %windir%\click.exe
  • %windir%\clickads.exe
  • %windir%\miniads.exe
  • %windir%\miniads1.exe
  • %windir%\miniads2.exe


The dropper creates this registry entry to ensure that the main component runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>", for example "adsacquy"
With data: "<name of the main click fraud component>", for example "%windir%\ads.exe"

The dropper then runs the main click fraud component.

Payload

Performs click fraud

The main component connects to a predefined server to receive information on its click fraud activities. We have observed Win32/Rongvhin connecting to these servers:

  • modzvinacf.blogspot.com
  • 120.72.85.141


Some of the pay-per-click service providers that we've seen targeted for click fraud are:

  • adf.ly
  • bc.vc
  • cf.ly
  • iiiii.in
  • linkbucks.com
  • popads.net
  • poponclick.com
  • riurl.com
  • smileptp.info
  • ulmt.in
  • wwy.me


Prevents access to certain websites

Some variants of Rongvhin might add entries to the Windows Hosts file to stop you from accessing these websites:

  • 4vcoin.com
  • 9hack.net
  • asiadot.asia
  • auto.congdonggame.net
  • cabalviet.net
  • cabalvina.com
  • congdonggame.net
  • gamethuvn.com
  • gamethuvn.net
  • hack-game.in
  • hack.dianguc.tv
  • hackaudition.info
  • hackcf.in
  • hackcf.tv
  • hackcucdinh.blogspot.com
  • hackdotkich.info
  • hackvcoin.in
  • hackvcoin.net
  • hackzingspeed.com
  • home.topgamethu.com
  • kiemthe123.com
  • maxmu.vn
  • mu.gamethuvn.net
  • muasung.biz
  • mukimthan.com
  • mumoi2013.com
  • mumoi2013.net
  • muonline-hanoi.vn
  • muviet.vn
  • progamethu.com
  • superhackcf.com
  • taigamemu.blogspot.com
  • timhack.com
  • vcoinvtc.info
  • xathu.net
  • xgamethu.com


Creates shortcut files

Win32/Rongvhin might also create shortcut files with these names, which point to the website www.dankinhte.vn:

  • %AllUserProfile%\Desktop\Google Firefox.url
  • %AllUserProfile%\Desktop\Internet Explorer.url
  • %AllUserProfile%\Desktop\Mozilla Firefox.url
  • %UserProfile%\Desktop\Google Firefox.url
  • %UserProfile%\Desktop\Internet Explorer.url
  • %UserProfile%\Desktop\Mozilla Firefox.url


Clears cache

Win32/Rongvhin runs the following command to remove files from the Temporary Internet Files folder periodically:

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

Other information

Some variants might drop the file C:\ipcheck.txt in your computer. Some older variants might download the file Leader.dat too.



Analysis by Steven Zhou

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
    • %windir%\adsminirun.exe
    • %windir%\adsminirun2.exe
    • %windir%\ads.exe
    • %windir%\ads1.exe
    • %windir%\ads2.exe
    • %windir%\ads3.exe
    • %windir%\click.exe
    • %windir%\clickads.exe
    • %windir%\miniads.exe
    • %windir%\miniads1.exe
    • %windir%\miniads2.exe
  • You can't go to these websites:
    • 4vcoin.com
    • 9hack.net
    • asiadot.asia
    • auto.congdonggame.net
    • cabalviet.net
    • cabalvina.com
    • congdonggame.net
    • gamethuvn.com
    • gamethuvn.net
    • hack-game.in
    • hack.dianguc.tv
    • hackaudition.info
    • hackcf.in
    • hackcf.tv
    • hackcucdinh.blogspot.com
    • hackdotkich.info
    • hackvcoin.in
    • hackvcoin.net
    • hackzingspeed.com
    • home.topgamethu.com
    • kiemthe123.com
    • maxmu.vn
    • mu.gamethuvn.net
    • muasung.biz
    • mukimthan.com
    • mumoi2013.com
    • mumoi2013.net
    • muonline-hanoi.vn
    • muviet.vn
    • progamethu.com
    • superhackcf.com
    • taigamemu.blogspot.com
    • timhack.com
    • vcoinvtc.info
    • xathu.net
    • xgamethu.com

Last update 12 October 2013

 

TOP

Malware :