General Explanation
Type: Adware
Degree of destruction: high
Prevalence: average
What is Adware?
Adware is an advertising malware that results in showing ads or appearing multiple banners in your system and encourages you to buy any products or services. These kinds of malware, usually, unintentionally enter the system without the user’s notice.
What is Oxypumper malware?
Oxypumper malware creates aimed to show ads on the victim’s system. But in fact, it will harm the victim’s system by downloading other files and disabling the system security mechanism in addition to show ads. Initially, malware will download the auxiliary files from specific addresses which these files which are the heir of the main malware will appear as new processes and each has a specific duty. Eventually, with the help of all files, it will download the Opera browser and install it on the victim’s system to do the ad works on the mentioned browser and open multiple tabs.
Technical Explanation
Signs of infection
One of the most prominent signs of this malware is installing Facebook and Opera software. After installation, the malware will attempt to open multiple tabs in the Opera browser and show some series of addresses and ads.
Other infection signs of this malware are as follows:
- Creating the following files in the Temp path of the system OS:
- Playerp2.0.exe
- 4AEB.tmp
- wyfdggk.exe
- fish.exe
- OperaSetup.exe
- WCInstaller.exe
- F.tmp
- Webcompanioninstaller.exe
- Adjusting startup for browser_assistant.exe and Webcompanioninstaller.exe files
HKCU\software\microsoft\windows\currntVersion\Run
- Disabling anti-spyware
Microsoft\windowsDefender\Disable AntiSpyware
Function explanation:
The fish.exe file is responsible for downloading ad tools on the system. This file does all ad works via the Opera browser.
The malware initially, downloads the eagle.exe file from install. portmdfmoon[.]com/download/APSFADexNR and then copies it in the executed file named fish.exe, i.e. eagle.exe is stored in the victim’s system as fish.exe and executed as a process. From then, this file does other activities by recalling other files such as network command shell in addition to show ads.
- netsh http add urlacl url=http://+:9007/ user=EveryOne
This instruction means to enable the capability of sending/receiving HTTP requests by 9007 port.
Also, the malware downloads a file as webcompanion.exe. This file3 is an advertising module that is executed without the user’s notice and does advertising on websites included showing banners and ads images, etc.
In summary, this malware attempts to download its desired files from pre-destined addresses and put them in a special path of the system. These addresses are:
- Install[.]portmdfmoon[.]com/download/APSFADeXNR
- Osdsoft[.]tk/20190118/multishare[.]exe
- Filesharing247[.]pw/nmgewiakjaoq[.]exe
- https://linkury[.]s3-eu-west-2[.]amazonaws[.]com/safefinder[.]exe
- citygame[.]xyz/app[.]exe
Then by disabling the system security mechanism such as different parameters of Windows defender and also if a group of antiviruses exists- depending on which kind of anti-virus they are- it provides a basis for download and executes other malware.
The list of antiviruses are as follows:
- KaperskyLab
- Avira
- G Data
- Sophos
- McAfee
- ArcaBit
- BitDefender
- TrendMicro
- K7 computing
- MicroWorld
- IKARUS
- Jiangmin
- Fortinet
- AVAST software
- ESET
- Doctor Web
- AVG
- Microsoft
- Ahnlab
- Comodo
- F-Secure
- ClamWin
- Lavasoft
- Agnitum
- solo-Antivirus
- Symantec
- Filseclab
- VIPRE
- TGSoft
- Virit
- Zillya
- Panda Security
- Nano Antivirus
- Quick heal
- Total Defense
How to deal with it and disinfect the system
Padvish Antivirus detects this malware and disinfects the system. To prevent this kind of malware from entering the system, it is recommended to avoid clicking on the suspicious links and scan all attach a file in an email before executing them. Also, if it’s possible, always keep your OS and antivirus up to date.