Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti
All Radio 4.27 Portable Can Be Removed? Then Your PC is Severely Infect
Starting yesterday, there have been numerous reports of people's Windows computers being infected with something called "All-Radio 4.27 Portable". After researching this, it has been determined that seeing this program is a symptom of a much bigger problem on your computer.
If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send send out spam.
Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help at this time. Due to this and the amount of malware installed, if you are infected I suggest that you reinstall Windows from scratch if possible.
If that is not an option, you can create a malware removal help topic in our Virus Removal forum in order to receive one-on-one help in cleaning your computer.
Furthermore, some of the VirusTotal scans associated with this infection have indicated that an information stealing Trojan could have been installed as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected.
All-Radio 4.27 Portable infection installed through cracks
This malware campaign appears to have started yesterday when people began requesting help in the Malwarebytes forum. These help requests were from users who suddenly saw a program called All-Radio 4.27 Portable in Windows, but could not find a way to remove it.
While All-Radio 4.27 Portable appears to be a legitimate Russian online video and radio program, the malware authors have copied it and created an imposter to act as a front for other malware that is installed.
When malware removal expert, Aura, started helping these victims he noticed a common theme. Most of the users reported being infected after they downloaded and installed game cracks and Windows activation tools such as KMSpico.
When experts checked all of the reported links, they found that supposed cracks were a "aimp" adware bundle. This adware bundle is what is most likely pushing the malware package.
This malware package has a whole basket of goodies
From the research conducted by Aura and Elise, it was found that the infection will download and install a cascade of malware that ultimately infects a computer with a rootkit, a miner, a clipboard hijacker, a spammer, and other Trojan downloaders.
The main installer, which is virtual machine aware, will be installed in %AppData%MicrosoftWindows[random][random].exe and will inject a process into Explorer.exe. This process will then copy itself to %Temp%allradio_4.27_portable.exe and display the All-Radio 4.27 Portable screen.
It will then download and install various files into the %Temp% folder and execute them. These downloaded files will ultimately install the following malware:
- A program that connects to https://iplogger.com/1kfvV6 for statistics purposes.
- A miner called file.exe that is injected into C:WindowsSyswow64svchost.exe.
- Malware that monitors the clipboard for 2,343,286 cryptocurrency addresses, and if one is detected, replaces it with a different address under their control.
This allows the malware developers to steal the cryptocoins that are transferred to their account instead of the expected one.
According to some of the VirusTotal scans, some of the infections could also be information stealing Trojans. Therefore, if you have logged into any accounts while being infected, you may want to change your password at those accounts from a clean machine.
As you can see, this is a serious infection with malware that can potentially steal your account credentials, use your computer for mining, and download other malware on your computer. As it uses a rootkit to protect some of its functions, it indicates that the malware developer means business and we can expect to see this continue to be distributed. Therefore, be sure to clean your computer if you have any of the above symptoms.
Finally, cracks have always been a source of malware, especially for consumers. Due to this, it is strongly advised that you avoid cracks and other programs that can generate software licenses as they are commonly infected with malware.
02/07/18 Çap et