Multi-Device Licenses (Volume Discounts)

Change Region

English Português
Threat Database Browser Hijackers Malware.Rujack

Malware.Rujack

By CagedTech in Browser Hijackers
Translate To:
English

Threat Scorecard

Ranking: 104
Threat Level: 50 % (Medium)
Infected Computers: 429,410
First Seen: April 6, 2017
Last Seen: September 21, 2023
OS(es) Affected: Windows

Rujack and Malware.Rujack are detection names that are used by cybersecurity developers in reference to riskware and browser hijacking software, which forces users to load pages on the h[tt]ps://mail[.]ru domain. Mail.ru is a legitimate site suited for Russian-speaking Web surfers. Mail.ru is similar to Bing and Google in many ways with its built-in weather forecast, IM client support, email service, news feeds and the Yandex search service integration. Unfortunately, the reputation of Mail.ru is has been plagued by adware activity and browser hijacking that was caused by third parties looking to claim advertising revenue from redirecting users to Mail.ru.

The software flagged as Rujack and Malware.Rujack may include browser extensions for Google Chrome, add-ons for Mozilla Firefox and Browser Helper Objects (BHOs) for Internet Explorer. Usually, the Rujack applications are distributed to PC users in the company of misleading and fake updates for Adobe Flash and Java. Rujack-branded programs may be presented to users as free media players and extensions that help with streaming video content from the Internet. We have seen applications like “Rutube Chrome Extension,” “WebExpEnhanced,” and “UpdHost2” flagged as Malware.Rujack and PUP.Optional.MailRu. Extensions with the following IDs have been known to cause problems for users:

lhemechcanjmilllmccjbjldonmnnjjj
hcadgijmedbfgciegjomfpjcdchlhnif
bhjhnafpiilpffhglajcaepjbnbjemci
indjgiebmakhmnaplnlnanodkfiejfjd

The Rujack software is observed to make changes to popular Web browsers and force them to load resources at Mail.ru, as well as advertisements from untrusted domains. Most of the cases that involve the Rujack software correspond to Europe and Central America. Malware.Rujack may use VBS scripts and Registry keys to redirect users to insecure pages on the Internet, as well as invite users to run questionable software from unverified publishers. It is best to remove the files and applications associated with Malware.Rujack using a credible anti-malware suite. AV scanners may list related files with the following names:

  • Suspicious_GEN.F47V0628
  • Trojan.Agent.CIPO
  • Trojan.VBS.HotNews.a
  • Win32/Trojan.7e4
  • malware (ai score=81)

SpyHunter Detects & Remove Malware.Rujack

File System Details

Malware.Rujack may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. ijhg.vbs f72c0e51ec0d968d482a9a127792aa58 259
2. ijhg.vbs 990b494c525a8368f4b7ed9bac762ae1 57
3. ijhg.vbs cbea28fe6583edc76b225b8b928a4d11 43

Registry Details

Malware.Rujack may create the following registry entry or registry entries:
CLSID
{CBF88FC2-F150-4F29-BC80-CE30EFD1B62C}
File name without path
amigo.bat
Чистилка.lnk
Regexp file mask
%ALLUSERSPROFILE%\[RANDOM CHARACTERS] [RANDOM CHARACTERS].lnk.bat
%ALLUSERSPROFILE%\[RANDOM CHARACTERS] [RANDOM CHARACTERS].lnk.bat
%ALLUSERSPROFILE%\Application Data\help.bat
%ALLUSERSPROFILE%\help.bat
%localappdata%\yandex.bat
%PROGRAMFILES%\Subversion\TortoiseSVN Overlay.dll
%WINDIR%\System32\Tasks \mysidex[NUMBERS]
%WINDIR%\System32\Tasks\101news101net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\101news101org[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\1bl0gcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\1bl0gnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\1news101com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\1news101net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\24runewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\24runewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\24socialnewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\24socialnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\2infoblogcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\2infoblognet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\3bloginfocom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\7runewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\7runewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\[RANDOM CHARACTERS]journalorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\all-journalnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\andyounnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\bl0gingcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\bl0gingnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\blog9newsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\blogingtcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\blogingtnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\blogmytopnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\bossnewsbiz[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\browser-netnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\browser-netorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\fornews2017net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\fornews2017org[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\fpagesnewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\fpagesnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\free1newsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\gogetnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\good-journalnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\green5news[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hit5news[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hitech-2017info[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hitech-2017net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hitnews1net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hitnews1org[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\httphumanvevo12com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\httpnewsfor24klocom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\httpnewsfor24procom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\httpnewsfor24smocom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\inewsennet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\interesting20news17com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\interesting20news17net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\internet-lifeorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\inversenewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\jooringcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\jooringnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\journal-allnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\journal-goodnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\journal-goodorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\journalaboutlifeorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\jurnal-lifenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\kodobi[NUMBERS]
%WINDIR%\System32\Tasks\krutonewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\linenewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\LookUpPro[NUMBERS]
%WINDIR%\System32\Tasks\lorensonewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\lorensonewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\MarketAdvior[NUMBERS]
%WINDIR%\System32\Tasks\myblog10com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\myblognewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\mynewsforcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\mynewsfornet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\nano-newsinfo[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\new1newsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\new1newsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news-onlyorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news-truenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news1freecom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news1freeorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news24socialcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news24socialnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newscruisenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newsfor24orgzhrotsm
%WINDIR%\System32\Tasks\newshistorysnetlhrots[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newsonlineonlynet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newsonlyonlinenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newssocialorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newstimes2017[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newstop5net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newstop5org[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\notbadnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\notbadnewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\onepagesnewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\onepagesnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\pagesnewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\timeandnewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\timeandnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\top5newsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\top9blogcomqazsm
%WINDIR%\System32\Tasks\topnews17com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\topnews17info[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\topnews17net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\topnewsonlinenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\vnovostyahnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\yocoursenewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\yocoursenewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\youfreenewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\YoutubeDownloader
%WINDIR%\System32\Tasks\YoutubeDownloader_upd
HKEY..\..\..\..{RegistryKeys}
Software\kodobi
Software\LookupPro
Software\MarketAdvior
Software\Microsoft\chst
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\kodobi
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\kodobi2
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\LookUpPro
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\LookUpPro2
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\mysidex
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\mysidex2
Software\Microsoft\Windows\CurrentVersion\Run\kodobi
Software\Microsoft\Windows\CurrentVersion\Run\LookUpPro
Software\Microsoft\Windows\CurrentVersion\Run\MarketAdvior
Software\Microsoft\Windows\CurrentVersion\Run\mysidex
Software\mysidex
SOFTWARE\Policies\Microsoft\Internet Explorer\SearchScopes\1E35BAB2-2EA9-428D-8E26-705304D76739
SOFTWARE\Wow6432Node\Policies\Microsoft\Internet Explorer\SearchScopes\1E35BAB2-2EA9-428D-8E26-705304D76739
SOFTWARE\Wow6432Node\Чистилка
SOFTWARE\Чистилка
SYSTEM\ControlSet001\services\Chistilka
SYSTEM\ControlSet002\services\Chistilka
SYSTEM\CurrentControlSet\services\Chistilka
HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}
kodobi
LookupPro
MarketAdvior
mysidex
Чистилка

Directories

Malware.Rujack may create the following directory or directories:

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Чистилка
%ALLUSERSPROFILE%\Чистилка
%APPDATA%\CurrencyConvertor
%APPDATA%\EVERYDAYHOLIDAY
%APPDATA%\MarketAdvior
%APPDATA%\Movies
%APPDATA%\Onetabber
%APPDATA%\PBot
%APPDATA%\WeatherForecaster
%APPDATA%\YoutubeDownloader
%APPDATA%\YoutubeDownloader_upd
%APPDATA%\adtschema
%APPDATA%\gerpril
%APPDATA%\kceidjgdigbhildogdafgekneemgibfe
%APPDATA%\msspeedlib
%APPDATA%\mysidex
%APPDATA%\okagncigkfokplmopeninonbibkmpogi
%APPDATA%\printfilterpipelinesvc
%AppData%\LookupPro
%AppData%\kodobi
%TEMP%\tmpnrlv3x9i
%TEMP%\tmpq07u1cp9

URLs

Malware.Rujack may call the following URLs:

//searchtds.ru
/gazetwa.ru
/kalolo.ru
c.traffic-media.co/
go.deliverymodo.com/afu
sagepubgo.com
search.distring.ru
searche-engine.ru
searchtrack.ru
send-notice.com
top-start-page.com/
traff-1.ru
traff-2.ru
traff-3.ru
traff1.ru
traff3.ru
traffic-media.co/mghtml
vulkanstyle.gq

Trending

Most Viewed

Loading...