For about a week now there have been repeated posts on the BleepingComputer and Malwarebytes forums regarding a BITSADMIN 3.0 command prompt that repeatedly opens on its own and downloads files.  What all of these users had in common were numerous adware and unwanted programs installed on the computer.

Bitsadmin 3.0 Prompt
Bitsadmin 3.0 Prompt

It wasn't until yesterday that researchers  at these forums, such as Aura & Djordje Lukic, discovered that this behavior was being caused by an adware bundle called FileTour.  FileTour is an adware bundle that downloads adware, unwanted extensions, PUPs, and miners to an infected computer. An interesting characteristic of FileTour is that it almost always installs PUPs written for Russian victims. These include programs related to Mail.ru and extensions whose titles are written in Russian.

Mail.ru Program
Mail.ru Program

Recently FileTour seems to have decided to add persistence to its behavior in order to further download and install unwanted programs on a victim's computer. It does this by creating various batch files which are executed by scheduled tasks at login and every 3 hours thereafter.

Scheduled Task
Scheduled Task

The batch files that are executed contain very basic obfuscation and are used to launch a renamed copy of BitsAdmin stored in the C:\Windows folder to download further adware and unwanted programs onto the computer. An example of one of these obfuscated batch files from my test can be seen below.

Obfuscated Batch File
Obfuscated Batch File

When you clean up the batch file, you can get a better picture as to what it is trying to do. This batch file will create a new task and then use a renamed Bitsadmin, located at C:\Windows\AiruE.exe, to download a file from a remote site and execute it.

Cleaned up Batch File

Using the above batch file as an example, when it launches a victim will see a command prompt open and display the Bitsadmin screen for a brief period of time.

Bitsadmin Starting
Bitsadmin Starting

Bitsadmin will then begin to download the file from a remote site, which in this case is http://liflingren.info/8i966f7x8ps9.zip, and saves it into the %Temp% Folder.

Caption

When finished, the batch file will execute the downloaded program, which will typically cause a a UAC prompt to be displayed.

User Account Control Prompt
User Account Control Prompt

If a victim clicks on Yes, the new adware or other unwanted program will be installed on the computer.

This behavior further illustrates how adware purveyors continue to cross the boundary into full fledge malware whose only purpose is to push unwanted software onto a victim's computer.

Related Articles:

Malicious Kodi Add-ons Install Windows & Linux Coin Mining Trojans

Mozilla Firefox Will Soon Block All Trackers by Default

Malwarebytes Browser Extension Blocks Malware, Scams, Ads, & Trackers

Fake Websites for Keepass, 7Zip, Audacity, Others Found Pushing Adware

Google Bans Cryptocurrency Mining Apps From the Play Store

IOCs

Hashes:

SHA256: 03f879f80458a05311a40dc921c365cc3ac913bec93fd35425bbcf23e9ef2b30

Network Communication:

http://liflingren.info