Home / malwarePDF  

Trojan:Win32/Lickore.B


First posted on 20 July 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Lickore.B is also known as Win32/TrojanClicker.BHO.NCQ (ESET), Trojan.Naver.220 (Dr.Web), Trojan.Siggen4.6128 (Dr.Web), TR/Lickore.B (Avira), Trojan.Win32.Lickore (Ikarus).

Explanation :



Trojan:Win32/Lickore.B is a trojan installed as a BHO (Browser Helper Object) which connects to webpages without your consent.



Installation

The trojan is downloaded from hxxp://down.tmqrhks.com/dist/dobuycns/ by a downloader that is also detected as Trojan:Win32/Lickore.B. It is downloaded to the folder %ProgramFiles%\<random> (for example, %ProgramFiles%\dobuycns).

Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files".

Trojan:Win32/Lickore.B installs itself by creating the following registry entries:

In subkey: HKLM\SOFTWARE\Classes\CLSID\<variable Class ID>\InProcServer32
Sets value: "(default)"
With data: "%ProgramFiles%\<random>" (this is the folder where the trojan is downloaded to, for example, %ProgramFiles%\dobuycns)

In subkey: HKLM\SOFTWARE\Classes\CLSID\<variable Class ID>
Sets value: "(default)"
With data: "0"

Once installed in Internet Explorer, you can see the trojan in the "Manage Add-ons" window that can be accessed from the Tools menu. The image below displays an example of the "Manage Add-ons" window as the file name of the trojan can vary.





Payload

Monitors browsing behavior

Trojan:Win32/Lickore.B monitors your browsing behavior. In the wild we have seen it checking to see if you visit any of these sites:

0to7.com
2001outlet.com
akmall.com
amante.co.kr
bandinlunis.com
book.11st.co.kr
boribori.co.kr
chongga.com
chonggafood.com
cjmall.com
cjonmart.com
coii.kr
diskstory.com
emartmall.com
escrow.epost.go.kr
ethefaceshop.com
fashionflus.co.kr
flower.epost.go.kr
gumzzi.co.kr
halfclub.com
hnp.halfclub.com
idolstyle.co.kr
istyle24.com
lgfashionshop.com
libro.co.kr
lotteimall.com
mall.2001outlet.com
mall.epost.go.kr
mall.shinsegae.com
mart.epost.go.kr
mochaccino.co.kr
naingirl.com
njoyny.ktmall.com
ogage.co.kr
okkane.co.kr
oneaday.co.kr
plus1000.co.kr
shop.urii.com
skdutyfree.com
vitamall.co.kr
with.gsshop.com
wizwid.com
woori.com
gsshop.com
hyundaihmall.com
nsmall.com

The trojan may report your visits to the above sites by sending HTTP requests to the following servers, which may be involved in pay-per-click schemes to generate revenue:

  • hxxp://click.clickstory.co.kr/?vanilla=<ID>&turl=< Visited_Site_Address >
  • hxxp://click.linkprice.com/click.php?m=< Part_Of_Visited_Site_Address >&a=A100339321&l=9999l_cd1=3&l_cd2=0&tu=


An HTTP request is a type of basic communication between your browser and a website.

Contacts remote sites

Trojan:Win32/Lickore.B may also connect to the following site, possibly to count the number of computers that have been infected by the trojan:

hxxp://down.tmqrhks.com/dist/dobuycns/ofs.php



Analysis by Stefan Sellmer

Last update 20 July 2012

 

TOP