Home / malwarePDF  

TrojanDownloader:Win32/Nonaco.J


First posted on 11 June 2009.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Nonaco.J is also known as Also Known As:TrojanClicker:Win32/Zirit.Y (Microsoft), Trojan:Win32/Adclicker.KT (Microsoft), Trojan-Dropper.Win32.Agent.vnl (Kaspersky), Troj/DldrBJ-Gen (Sophos), Win32/Puper!generic (CA), Puper (McAfee).

Explanation :

TrojanDownloader:Win32/Nonaco.J installs other malware including TrojanClicker:Win32/Zirit.Y and Trojan:Win32/Adclicker.KT. The installed malware visits a specific website repeatedly with a related side-affect to increase pay-per-click counts associated with the malware. It may also display pop-ups and download other malware from the predefined website.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

TrojanDownloader:Win32/Nonaco.J installs other malware including TrojanClicker:Win32/Zirit.Y and Trojan:Win32/Adclicker.KT. The installed malware visits a specific website repeatedly with a related side-affect to increase pay-per-click counts associated with the malware. It may also display pop-ups and download other malware from the predefined website.

Installation
TrojanDownloader:Win32/Nonaco.J may be installed by other malware. When run, this trojan constructs a file name using a table of possible file name combinations such as the following:
Alrt
Sys
Win
Mon
Kbd
Srv
Service
Chk
Check
Prx
Srvc
Stat
SDRAM
Std
Void
SetDrive
Drv
Volume
Ram
Rom
Setup
RunOnce
Avp
Unknown
Boot
Run
Sun
Java
Micro The trojan then creates a file using a combination of strings from above as in the following example: <system folder>SetupAvp.dll - identified as TrojanClicker:Win32/Zirit.Y The registry is modified to run the dropped malware at each Windows start. Adds value: DelayLoadWith data: "rundll32 <system folder><malware filename>,service"To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun The trojan drops additional files as the following: %ProgramFiles%ho.exe - Trojan:Win32/Adclicker.KT
%ProgramFiles%antiviirus.exe - TrojanClicker:Win32/Zirit.Y Additional InformationFor more information about TrojanClicker:Win32/Zirit.Y, see the description elsewhere in the encyclopedia.

Analysis by Tim Liu

Last update 11 June 2009

 

TOP

Malware :

Family: