For about a week now there have been repeated posts on the BleepingComputer and Malwarebytes forums regarding a BITSADMIN 3.0 command prompt that repeatedly opens on its own and downloads files. What all of these users had in common were numerous adware and unwanted programs installed on the computer.
It wasn't until yesterday that researchers at these forums, such as Aura & Djordje Lukic, discovered that this behavior was being caused by an adware bundle called FileTour. FileTour is an adware bundle that downloads adware, unwanted extensions, PUPs, and miners to an infected computer. An interesting characteristic of FileTour is that it almost always installs PUPs written for Russian victims. These include programs related to Mail.ru and extensions whose titles are written in Russian.
Recently FileTour seems to have decided to add persistence to its behavior in order to further download and install unwanted programs on a victim's computer. It does this by creating various batch files which are executed by scheduled tasks at login and every 3 hours thereafter.
The batch files that are executed contain very basic obfuscation and are used to launch a renamed copy of BitsAdmin stored in the C:\Windows folder to download further adware and unwanted programs onto the computer. An example of one of these obfuscated batch files from my test can be seen below.
When you clean up the batch file, you can get a better picture as to what it is trying to do. This batch file will create a new task and then use a renamed Bitsadmin, located at C:\Windows\AiruE.exe, to download a file from a remote site and execute it.
Using the above batch file as an example, when it launches a victim will see a command prompt open and display the Bitsadmin screen for a brief period of time.
Bitsadmin will then begin to download the file from a remote site, which in this case is http://liflingren.info/8i966f7x8ps9.zip, and saves it into the %Temp% Folder.
When finished, the batch file will execute the downloaded program, which will typically cause a a UAC prompt to be displayed.
If a victim clicks on Yes, the new adware or other unwanted program will be installed on the computer.
This behavior further illustrates how adware purveyors continue to cross the boundary into full fledge malware whose only purpose is to push unwanted software onto a victim's computer.