Adware Bundle Adds Persistence to Download More Malware at Later Time

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
For about a week now there have been repeated posts on the BleepingComputer and Malwarebytes forums regarding a BITSADMIN 3.0 command prompt that repeatedly opens on its own and downloads files. What all of these users had in common were numerous adware and unwanted programs installed on the computer.

bitsadmin-start.jpg

Bitsadmin 3.0 Prompt
It wasn't until yesterday that researchers at these forums, such as Aura & Djordje Lukic, discovered that this behavior was being caused by an adware bundle called FileTour. FileTour is an adware bundle that downloads adware, unwanted extensions, PUPs, and miners to an infected computer. An interesting characteristic of FileTour is that it almost always installs PUPs written for Russian victims. These include programs related to Mail.ru and extensions whose titles are written in Russian.

mail_ru-program.jpg

Mail.ru Program
Recently FileTour seems to have decided to add persistence to its behavior in order to further download and install unwanted programs on a victim's computer. It does this by creating various batch files which are executed by scheduled tasks at login and every 3 hours thereafter.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top