Starting yesterday, there have been numerous reports of people being infected with something called "All-Radio 4.27 Portable". After researching this heavily today, it has been determined that seeing this program is a symptom of a much bigger problem on your computer.
All-Radio 4.27 PortableIf your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send out spam.
Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help. Due to this, if you are infected with this malware, I strongly suggest that you
create a malware removal help topic in our
Virus Removal forum in order to receive one-on-one help in cleaning your computer.
Some of the VirusTotal scans associated with this infection have also indicated that an information-stealing Trojan could have been installed by this malware bundle as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected.
For those interested in more information about the infection, you can read the rest of the article. If you are here because you are infected, be sure to open a
virus removal help topic to get assistance removing this infection.
All-Radio 4.27 Portable infection installed through cracksThis malware campaign appears to have started yesterday when people began
requesting help in the Malwarebytes forum. These help requests were from users who suddenly saw a program called All-Radio 4.27 Portable in Windows, but could not find a way to remove it.
While All-Radio 4.27 Portable appears to be a legitimate Russian
online video and radio program, the malware authors have copied it and created an imposter to act as a front for other malware that is installed.
When malware removal expert,
Aura, started helping these victims he noticed a common theme. Most of the users reported being infected after they downloaded and installed game cracks and Windows activation tools such as KMSpico.
When I checked all of the reported links, I found that supposed cracks were an "aimp" adware bundle. This adware bundle is what is most likely pushing the malware package.
aimp Adware BundleThis malware package has a whole basket of goodies
From the research conducted by myself, Aura, and Elise, it was found that the infection will download and install a cascade of malware that ultimately infects a computer with a rootkit, a miner, a clipboard hijacker, a spammer, and other Trojan downloaders.
The main installer, which is virtual machine aware, will be installed in
%AppData%\Microsoft\Windows\[random]\[random].exe and will inject a process into Explorer.exe. This process will then copy itself to
%Temp%\allradio_4.27_portable.exe and display
the All-Radio 4.27 Portable screen.
All-Radio 4.27 PortableIt will then download and install various files into the %Temp% folder and execute them. These downloaded files will ultimately install the following malware:
• A program that connects to
http://iplogger.com/1kfvV6 for statistics purposes.
• A miner called file.exe that is injected into C:\Windows\Syswow64\svchost.exe.
• Malware that monitors the clipboard for 2,343,286 cryptocurrency addresses, and if one is detected, replaces it with a
different address under their control. This allows the malware developers to steal the cryptocoins that are transferred to
their account instead of the expected one. You can
read more about this type of malware here.
Portion of Monitored CryptoCurrency Addresses • A rootkit driver with a random file name under the %Temp% folder that hides and another service that has a display
name of "wifi support". The protected service is created with the commands:
sc create fjuolnkd binPath= "C:\Windows\SysWOW64\fjuolnkd\wwvbmahk.exe /d\"C:\Users\admin\AppData\Local\Temp\A159.tmp.exe\"" type= own start= auto DisplayName= "wifi support"
sc description fjuolnkd "wifi internet conection"
Rootkit Driver • A Trojan downloader that can download and install other malware.
• A Trojan that uses your computer to send spam.
According to some of the VirusTotal scans, some of the infections could also be information stealing Trojans. Therefore, if you have logged into any accounts while being infected, you may want to change your password at those accounts from a clean machine.
As you can see, this is a serious infection with malware that can potentially steal your account credentials, use your computer for mining, and download other malware on your computer. As it uses a rootkit to protect some of its functions, it indicates that the malware developer means business and we can expect to see this continue to be distributed. Therefore, be sure to clean your computer if you have any of the above symptoms.
Finally, cracks have always been a source of malware, especially for consumers. Due to this, it is strongly advised that you avoid cracks and other programs that can generate software licenses as they are commonly infected with malware.
source
