Home / malware TrojanDownloader:Win32/Clicker.C
First posted on 05 September 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Clicker.C is also known as Trojan-Downloader.Win32.Banload.bqdr (Kaspersky), W32/Banload.BHDR (Norman), Trojan.DL.Banload!KYkXpNCl+cA (VirusBuster), TR/Dldr.Banload.bqdr (Avira), Trojan-Downloader.Win32.Banload (Ikarus).
Explanation :
TrojanDownloader:Win32/Clicker.C is a trojan that downloads additional malware, such as TrojanClicker:Win32/Delf.ZXG, onto your computer.
Installation
TrojanDownloader:Win32/Clicker.C is dropped by other malware under %SystemRoot% with a random icon and a random file name, such as one of the following:
- File names:
- infobasic5.exe
- sdiskciis.exe
- tpprhost.exe
- Icons:
Note: %SystemRoot% refers to a variable location that is determined by the malware by querying the operating system. The default location for the SystemRoot folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Windows".
The dropper installs the trojan as a Windows service. It uses the /SILENT parameter to prevent the display of any installation or notification dialog boxes.
The name and description of the service differs between installations of this malware. In the wild, we have observed the following services:
- InforBasicSv with description "Information Quick Basic Service"
- SCAIISvc with description "Storage Caching Service"
- TpphSvc with description "Thread Profile Provider Host"
Payload
Downloads and runs other malware
In the wild, we have observed TrojanDownloader:Win32/Clicker.C downloading and running TrojanClicker:Win32/Delf.ZXG by connecting to the following URL:
http://222.239.243.30/tmp/a824/fcicin82.dat
Contacts remote hosts
TrojanDownloader:Win32/Clicker.C may contact one of the following remote hosts by sending an HTTP request:
- momembership.net
- partrevonline.net
The response from the host contains additional commands to be run by the trojan, in an encrypted format.
Commonly, malware may contact a remote host for the following purposes:
Additional information
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
We have observed this threat mostly targeting computers in the Republic of Korea.
Related encyclopedia entries
TrojanClicker:Win32/Delf.ZXG
Analysis by Horea Coroiu
Last update 05 September 2012