28 November 2010

eMule Kad Search full with Fake Files - Hundrets of aMule Clients spreading Faked File Names containing a setup.exe with Malware!

Recently when you do a Search on Kad in eMule and you found search results with a unusually high number of sources. Nearly all sources are aMule v2.2.6 Clients with Nicknames: Admin, Administrador, Administrateur, Administrator, Usario, utente, Utilisateur,...

These are Filefakers sending Viruses, Ads Toolbars and other Malware over ed2k Network!

The Files mostly contains in a rar or zip pack one Setup.exe with filedate 01.01.1980. Filesizes varies from 1,5 to 78 MB.


When you start this exe your Webbrowser may open with virus infected websites for example: http://zumasoft.com/ etc...

It installs silence a bundle of different Malware:

- Bandoo.exe (run in background instantly)
Fun4IM Coordinator (Discordia Limited)
located under Program Files\Fun4IM
to uninstall terminate Process Bandoo.exe, run \Program Files\Fun4IM\UNWISE.EXE

- Windows Searchqu Toolbar
datamngrUI.exe (run in background instantly)
Located under: \Program Files\Windows Searchqu Toolbar
to uninstall terminate Process datamngrUI.exe, run \Program Files\Windows Searchqu Toolbar\uninstall.exe

- several empty folder such as: \Program Files\icons

A significant number of Registry keys remains on the system even with the uninstallers. It is therefore recommended running a RegCleaner.

The RegKeys of these BHO's and Toolbars for manual cleaning are:

ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{074E4EFE-81BB-4EA4-866E-082CB0E01070}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{0CE5B352-9D9C-41E1-9551-FCCD92820217}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{167B2B5F-2757-434A-BBDA-2FDB2003F14F}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\BndCore.exe" HKCR\CLSID\{27F69C85-64E1-43CE-98B5-3C9F22FB408E}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{2E9A60EA-5554-49C3-BC9D-D0404DBACC62}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{3E63C9BC-DD51-4E83-ABA6-B350EAD28531}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{44CFFEF4-E7E1-44BD-B1F5-29F828ADA1B8}
ActiveX/COM InProcServer32\C:\PROGRA~1\WI9130~1\ToolBar\SearchquDx.dll HKCR\CLSID\{7FF99715-3016-4381-84CE-E4E4C9673020}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\BndCore.exe" HKCR\CLSID\{B543EF05-9758-464E-9F37-4C28525B4A4C}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\BndCore.exe" HKCR\CLSID\{BB76A90B-2B4C-4378-8506-9A2B6E16943C}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\BndCore.exe" HKCR\CLSID\{C3AB94A4-BFD0-4BBA-A331-DE504F07D2DB}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{EF2B6317-C367-401B-83B8-80302D6588A7}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{F5379B4B-24D8-432A-9A96-BE75EE5117DB}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{F7FB2BC4-6C27-4EAC-B5E2-037B71FDE101}
ActiveX/COM LocalServer32\"C:\PROGRA~1\Fun4IM\Bandoo.exe" HKCR\CLSID\{FD53FE35-4368-4B71-89D6-F29F3DB29DF1}

If you are connected with narrow-band Internet, such as DSL, ISDN below 2000 (256k, 128k, 56k EDGE, GPRS), you notice a significant loss of speed through the silence installed applications and toolbars (BHO's).

Be in caution some AV's do not detect the kind of virus but the firewall block the file access.

Many eMule Mod Names in download search are affected with source between 40 to 800

General I advise never to run setup.exe if it is the only zip or rar file content.
The probability that these file contents (setup, install) are junk, I think is over 80%


Boblin said...

Thank you for explaining this.

Post a Comment

We would appreciate if you as readers of our blog, show us some feedback by signing up to this site with Friend Connect.
This will encourage us to publish updates in the future.