Home / malware Trojan:Win32/Claretore.I
First posted on 19 December 2012.
Source: MicrosoftAliases :
Trojan:Win32/Claretore.I is also known as Trojan.Win32.Simda.cga (Kaspersky), Win32/Simda.P trojan (ESET).
Explanation :
Installation
When run, Trojan:Win32/Claretore.I drops copies of itself as hidden system files, using the following naming format:
- %HOMEPATH%\<random string 1>-<random string 2>.exe
- multiple files with the format %TEMP%\<random string>.tmp and %TEMP%\<random string 1>-<random string 2>.tmp
It creates the following registry entry so that its copy runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update Server"
With data: "%HOMEPATH%\<random string 1>-<random string 2>.exe"
It then deletes itself.
Payload
Monitors your Internet activities
Trojan:Win32/Claretore.I checks to see if you are running any of the following processes:
- chrome.exe
- cmd.exe
- explorer.exe
- far.exe
- firefox.exe
- iexplore.exe
- opera.exe
- totalcmd.exe
- wuauclt.exe
If you are, it monitors your activity in these processes by hooking APIs.
Changes Google Analytics code
Trojan:Win32/Claretore.I may replace references to the Google Analytics JavaScript "google-analytics.com/ga.js" with its own code. This allows attackers to run malicious code on your computer, and may result in fake Google Analytics results or fake advertisement clicks.
Analysis by Stefan Sellmer
Last update 19 December 2012
