Home / malware TrojanClicker:Win32/Clikug.A
First posted on 31 March 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanClicker:Win32/Clikug.A.
Explanation :
Threat behavior
Installation
We have seen TrojanClicker:Win32/Clikug.A installed by other malware and potentially unwanted software. It can also be downloaded by software bundlers that install clean applications.
The image below shows an example of a software bundler that installs Clikug (also known as GigaClicks) at the same time as other applications. We detect this installer as TrojanDownloader:Win32/Clikug.A:
TrojanClicker:Win32/Clikug.A copies itself to the following locations:
- %APPDATA% \GCC\Controller.exe
- %APPDATA% \GCC\GccProfiler.exe
- %APPDATA% \GCC\uninstall.exe
The trojan creates a scheduled task so that is runs regularly:
\Tasks\GC_Scheduler
A significant amount of disk space is also used by TrojanClicker:Win32/Clikug.A in the following directory. It is used to hold temporary Chrome profiles and extensions used for the crawling:
- %TEMP% \GC\Profiles
An uninstall entry is added under the display name €œGigaClicks Crawler€ with no developer information. Running the uninstaller might remove the threat from your PC:
Payload
Click fraud
This threat can use your PC for click fraud.
We have seen it using as much as 1 GB of bandwidth per hour - this can severely impact the speed of your Internet connection as well as lead to excess data usage charges from your Internet service provider.
Analysis by Geoff McDonald
Symptoms
The following could indicate that you have this threat on your PC:
- Slow Internet speeds when you browse websites or play games
- Poor PC performance
- Unusually high bandwidth usage reported or charged to you by your Internet Service Provider (ISP).
- You have these files:
- %APPDATA% \GCC\Controller.exe
- %APPDATA% \GCC\GccProfiler.exe
- %APPDATA% \GCC\uninstall.exe
- You have the following uninstall entry:
Last update 31 March 2014
