Inability to load the sites listed at the end of the following section.
Please let BitDefender disinfect your files.
Deac Razvan-Ioan, virus researcher
This executable is used to download and run other malicious applications from the internet (mostly password stealers).
When run, the downloader drops a dinamic library file in the %temp% directory with a random name, such as 4049437_ex.tmp, 4099250_ex.tmp, 4161421_ex.tmp.
The malware uses a function from this dll to run the files it downloads (probably to avoid euristic detections based on classic API calls).
The malware gets a list with the interenet location of the files to download from http://www.oi......./ko.txt. It is saved as %system32%\kn.txt and it looks like this:
This list is parsed and the files are downloaded and executed (with a certain random delay between these operations).
Also, this executable replaces the hosts file (%system32%\drivers\etc\hosts) with another one downloaded from http://www.oi...../ad.jpg. This is a fragment of the downloaded hosts file:
This hosts file doesn't prevent any AV updates. It is probably used only to replace the previous hosts file, which might have contained some cleverly chosen interdictions. However, a good way to tell whether the malware ran on your machine is to check if you can access these sites.