English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsTrojan-Clicker.Win32.Small.f

Trojan-Clicker.Win32.Small.f

Detected Oct 31 2005 14:17 GMT
Released Oct 31 2005 14:17 GMT
Published Feb 15 2007 11:12 GMT

Technical Details
Payload
Removal instructions

Technical Details

This Trojan opens a range of Internet sites without the knowledge or consent of the user. It is a Windows DLL file. The file is approximately 10KB in size. It is packed using UPX. The unpacked file is approximately 25KB in size.

Installation

When registering, the DLL file is installed to the system as a Browser Helper Object, creating the following registry keys:

[HKCR\CLSID\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF}]

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF}]


Payload

The Trojan tracks which sites the user visits when using Internet Explorer. When certain sites are visited the Trojan will redirect the user to sites belonging to the remote malicous user by substituting IP addresses in the following file:

%System%\drivers\etc\hosts

The list of sites the user will be redirected to is downloaded from the remote malicious user’s site.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Revert the DLL file registration by executing the following command: 
    regsvr32.exe /u <name of Trojan file>
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Trojans
Trojan-Clicker

Programs classified as Trojan-Clicker are designed to access Internet resources (usually web pages). This is done either by sending appropriate commands to the browser or by replacing system files that provide “standard” addresses for Internet resources (such as the Windows hosts file).

A malicious user may use Trojan-Clicker programs to:

  • increase the number of visits to certain sites in order to boost the number of hits for online ads
  • conduct a DoS (Denial of Service) attack on a particular server
  • lead potential victims to viruses or Trojans.

Other versions
Trojan-Clicker.Win32.Small.ae
Trojan-Clicker.Win32.Small.ai
Trojan-Clicker.Win32.Small.bh
Trojan-Clicker.Win32.Small.eb
Trojan-Clicker.Win32.Small.fn
Trojan-Clicker.Win32.Small.h
Trojan-Clicker.Win32.Small.ie
Trojan-Clicker.Win32.Small.kj

Aliases

Trojan-Clicker.Win32.Small.f (Kaspersky Lab) is also known as:

  • TrojanClicker.Win32.Small.f (Kaspersky Lab)
  • Trojan: Generic.dx!usf (McAfee)
  • Mal/Behav-320 (Sophos)
  • Heuristics.Broken.Executable (ClamAV)
  • Heuristic.WinPE-Statistical (Panda)
  • W32/Trojan-MIP.2!Generic (FPROT)
  • Trojan.Click.40157 (DrWeb)
  • Trojan.Clicker.Small.F (BitDef7)
  • Trojan.CL.Small!xz6FjGvNROQ (VirusBuster)
  • Win32:Adware-gen [Adw] (AVAST)
  • Trojan-Downloader.Win32.Small (Ikarus)
  • Clicker.BCG (AVG)
  • Adware.Delta (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.CL.Small!xz6FjGvNROQ (VirusBusterBeta)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search