The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Sep 21 2009 07:44 GMT
Released Sep 21 2009 11:23 GMT
Published Apr 05 2011 12:53 GMT

Technical Details
Removal instructions

Technical Details

This Trojan opens different websites in the browser without the user's knowledge. It consists of Java Script stored in an HTML page. It is 101 504 bytes in size.


When an infected page is opened in a browser, the Trojan uses Java Script methods to decrypt its body and launch the malicious code for execution. The Trojan attempts to open the resource at the following link in a hidden frame:


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  2. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?):
    %Temporary Internet Files%
  3. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 717F735C8523DDA2D6A6FA146AA128A3
SHA1: D303D37B641E628776B3B6E99169649876674FD3

Bookmark and Share

Programs classified as Trojan-Clicker are designed to access Internet resources (usually web pages). This is done either by sending appropriate commands to the browser or by replacing system files that provide “standard” addresses for Internet resources (such as the Windows hosts file).

A malicious user may use Trojan-Clicker programs to:

  • increase the number of visits to certain sites in order to boost the number of hits for online ads
  • conduct a DoS (Denial of Service) attack on a particular server
  • lead potential victims to viruses or Trojans.


Trojan-Clicker.HTML.IFrame.aky (Kaspersky Lab) is also known as:

  • Troj/Iframe-DR (Sophos)
  • JS/Iframe.AT (Panda)
  • JS/IFrame.FF (FPROT)
  • Trojan.Script.13836 (BitDef7)
  • Trojan.IFrame.FC (BitDef7)
  • Trojan.Script.297955 (BitDef7)
  • processing error (VirusBuster)
  • JS.IFrame.Gen.6 (VirusBuster)
  • HTML:IFrame-FI [Trj] (AVAST)
  • HTML:IFrame-FJ [Trj] (AVAST)
  • Trojan-Clicker.HTML.IFrame (Ikarus)
  • Trojan.JS.Redirector (Ikarus)
  • HTML/Framer (AVG)
  • HTML/Crypted.Gen (AVIRA)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Error getting //bb-unload7/UFILES2/2011_5_8/146217251 (FSecure)
  • Error getting //bb-unload7/UFILES2/2011_5_8/146217253 (FSecure)
  • processing error (VirusBusterBeta)
  • JS.IFrame.Gen.6 (VirusBusterBeta)