Trojan-Clicker.Win32.Small.kj

Technical Details

This Trojan program is designed to artificially boost the number of visits to designated web sites. The Trojan itself is a Windows PE EXE file, packed using FSG. The file may be between 5KB and 36KB.

Installation

Once launched, the Trojan copies itself to the Windows root directory as svchost.exe:

%Windir%\svchost.exe

It then registers this file in the system registry:

This ensures that the Trojan will be launched each time Windows is rebooted on the victim machine.

The Trojan also creates a file named SYSHOST.DLL in the Windows root directory:

%Windir%\SYSHOST.DLL

Payload

The Trojan downloads the following page via the Internet to Microsoft Internet Explorer:

http://195.225.***.34/stat2/0034/tuk.php

It then attempts to download the files listed below to the Windows temporary directory (%Temp%):

http://195.225.***.34/stat2/0034/c1.txt
http://195.225.***.34/stat2/0034/c2.txt
http://195.225.***.34/stat2/0034/c3.txt

Removal instructions

1. Delete the original Trojan file (the location will depend on how the malicious program originally penetrated the victim machine).
2. Delete the following files:

   %Windir%\svchost.exe
   %Windir%\SYSHOST.DLL

3. Delete the files downloaded by the Trojan:

   %Temp%\c1.txt
   %Temp%\c2.txt
   %Temp%\c3.txt

4. Modify the following registry key:
   [HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon]
    "Userinit"="%System%\userinit.exe,,%Windir%\svchost.exe%"
   to
   [HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon]
    "Userinit"="%System%\userinit.exe,"
5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Summary

• Trojan-Spy. Spies upon user's activity

• Trojan. Performs actions that are typical of malicious programs

• Implements network activity

• Performs potentially dangerous activity

Technical details

File size of 15360 bytes.

Installation

Makes copies of itself with the following names once launched:

• Windows directory (usually, C:\Windows)%Windir%\service32.exe

Creates the following files on an infected computer:

• Windows directory (usually, C:\Windows)%Windir%\taskmgr32.dll (­Kaspersky Anti-Virus detects as­ Trojan-Clicker.Win32.Small.kj)
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\tuk.php
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\c1.txt
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\c1.txt.$$$
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\c2.txt
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\c2.txt.$$$
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\c3.txt
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\c3.txt.$$$

Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:

by adding values to autorun keys in the system registry:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run ] "1" = " Windows directory (usually, C:\Windows)%Windir%\service32.exe"

Malicious activity

Tracks user activity by installing system hooks:

• ­Intercept program messages­

Injects its code into the following processes:

• IEXPLORE.EXE

Connects to to the following Internet addresses:

• ***.225.176.34:20480

Creates unique identifiers to flag its presence in the system

• GTAJIUYAGDL

Other activities

Runs the following files (commands):

• Standard directory for programs installed on Windows OS (usually, C:\Program Files)%Program Files%\Internet Explorer\iexplore.exe (­implements multiple launch­)

Modifies the system registry keys:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SOFTWARE\76GHG2HQ9P ] "76GHG2HQ9P" = "Ø"

Deletes the following files on an infected computer:

• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\Sys.htm
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\tuk.php
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\c2.txt
• Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\c3.txt