Home / malware Trojan:Win32/Clikug.A
First posted on 24 March 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Clikug.A.
Explanation :
Threat behavior
Installation
We have seen Trojan:Win32/Clikug.A installed by other malware or potentially unwanted software. It can also be included in software bundlers that install clean applications.
The image below shows an example of a software bundler that installs Clikug (also known as GigaClicks) at the same time as other applications. We detect this installer as TrojanDownloader:Win32/Clikug.A:
Trojan:Win32/Clikug.A copies itself to the following locations:
- %APPDATA% \GCC\Controller.exe
- %APPDATA% \GCC\GccProfiler.exe
- %APPDATA% \GCC\uninstall.exe
The trojan creates a scheduled task so that is runs regularly:
- %SystemDrive% \Tasks\GC_Scheduler [Is %SystemDrive% correct? or would system folder, or system root be better?]
A significant amount of disk space is also used by Trojan:Win32/Clikug.A in the following directory: [Can we say why this is so? What is happening in this file that takes up so much space?]
- %TEMP% \GC\Profiles
An uninstall entry is added under the display name €œGigaClicks Crawler€ with no developer information. Running the uninstaller might remove the threat from your PC:
Payload
Click fraud
This threat can use your PC for click fraud.
We have seen it using as much as 1 GB of bandwidth per hour - this can severly impact the speed of your Internet connection as well as lead to excess data usage charges from your Internet service provider.
Analysis by Geoff McDonald
Symptoms
The following could indicate that you have this threat on your PC:
- Slow Internet speeds when you browse websites or play games
- Poor PC performance
- Unusually high bandwidth usage reported or charged to you by your Internet Service Provider (ISP).
- You have these files:
- %APPDATA% \GCC\Controller.exe
- %APPDATA% \GCC\GccProfiler.exe
- %APPDATA% \GCC\uninstall.exe
- You have the following uninstall entry:
Last update 24 March 2014
