Is this a real malware?

[CodeExplorer]

Is this a real malware?

C:\Users\UserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
that file was renamed to Internet Explorer.vir
It just a shortcut:
"C:\Program Files\Internet Explorer\iexplore.exe" http://hi.ru/?dk71

It is detected by some antiviruses:
https://www.virustotal.com/gui/file/9f9002954be80252c9cd7c73114ac2805343b14259619c08bbda50402899c8b4?nocache=1

InternetExplorer.vir

[Stuttered]

I don't see how, unless the site itself is somehow linked to malware delivery.

[Luca91]

Hi @CodeExplorer

that shortcut will cause internet explorer (iexplore) to open that website (ofc you already know this).

Now, I used https://www.url2png.com/ to take a look at the content of that URL without visiting it and it seems like there is nothing important there at the moment.

Googling the domain name, I found out that it is quite famous because it has been used by hijackers in the past.

It is possible that you have been infected by a very old and quite silly hijacker (targeting the now-discontinued iexplorer); a simple vir scan should be enough to resolve the situation (or you can search the process yourself).

[Stuttered]

As a side note, current browsers won't auto-allow a NON-HTTPS (443) connection. You could use the tool Fiddler (or similar) to see if a payload is downloaded. From there, you dissect it (of course).

Edited August 10 by Stuttered

[MarcElBichon]

Yes, good ole browser hijacking. Remember HiJackThis... (latest reincarnation https://github.com/dragokas/hijackthis/)

You installed a software (packaging from russian origin) which change starting page (adware). You could also try AVZ (https://www.safezone.cc/resources/antivirusnaja-utilita-avz-5.227/download)

Edited August 11 by MarcElBichon

[CodeExplorer]

I installed SuperMariotySetup.exe - that was the russian software
here is it scan:
https://www.virustotal.com/gui/file/df42418c9ffd3012cf438a9121068551a884273895c77f744c4642bb0202b09b
so I am still wondering if this actually a malware!
 

[jackyjask]

of course it is

alert rate > 50%

the summary is clear - dont install russion SW

[kao]

43 minutes ago, CodeExplorer said:

if this actually a malware

Define "actual malware"  

 

Judging from that old VT analysis it's an old pay-per-install adware/browser hijacker.
Back in the old days, this type of software was used to hijack Internet Explorer homepage, inject some ads, run some ad referral/click scams, and/or grab personal information from IE.

Will it destroy your machine today, steal your creditcards and encrypt all your porn collection for a ransom? Unlikely.
Would I personally want such activity on my real machine? Hell, no.
 

[CodeExplorer]

Besides that strange Internet Explorer.lnk I've noticed that portable Firefox doesn't work any more: can't load any website. I also noticed that something is installed as stand alone program (in uninstall) - I can't remember what.
I restored my OS from backup.
I've reinstalled SuperMariotySetup.exe and is not the source of shortcut Internet Explorer.vir
 

Edited August 11 by CodeExplorer

[jackyjask]

have you checked AUtoruns?

[CodeExplorer]

1 hour ago, jackyjask said:

have you checked AUtoruns?

I restored my OS from backup. My system is now clean.
 

[jackyjask]

how exaclty did you restore your OS?

some super advanced virii might even jump into BIOS
 

[CodeExplorer]

1 hour ago, jackyjask said:

how exaclty did you restore your OS?

I have a backup of C:\ partition with "Paragon Backup and Recovery 14 Free"
I just restored C:\ partition from backup.
 

[kao]

4 hours ago, CodeExplorer said:

I restored my OS from backup

HUGE respect to you for actually having a backup. 

But given that VMWare Workstation is now free for personal use, why aren't you using it to test the weird and suspicious software you encounter? 

[_blaCKlBYte_]

I saw some adv about "Selling Shortcut .lnk Downloader Builder" in some russian hacking forums.

they sell this app or builder for make undetectable malware downloader.

So be aware ...