Home / malware Win32/Clodaconas
First posted on 05 January 2017.
Source: MicrosoftAliases :
There are no other names known for Win32/Clodaconas.
Explanation :
Installation
This threat is installed into the following location:
- %ProgramFiles%\DNS Unlocker\config.ini
- %ProgramFiles%\DNS Unlocker\ConsoleApplication1.dll
- %ProgramFiles%\DNS Unlocker\DNSLOCKINGTON.cer
- %ProgramFiles%\ DNS Unlocker\dnslockington.exe
- %ProgramFiles%\ DNS Unlocker\Info.rtf
- %ProgramFiles%\ DNS Unlocker\License.rtf
- %ProgramFiles%\ DNS Unlocker\LogoBlack.ico
- %ProgramFiles%\ DNS Unlocker\LogoGreen.ico
- %ProgramFiles%\ DNS Unlocker\LogoYellow.ico
- %ProgramFiles%\ DNS Unlocker\Microsoft.Win32.TaskScheduler.dll
- %ProgramFiles%\ DNS Unlocker\settings.ini
- %ProgramFiles%\ DNS Unlocker\unins000.dat
- %ProgramFiles%\ DNS Unlocker\unins000.exe
- %ProgramFiles%\ DNS Unlocker\ZonaTools.XPlorerBar.dll
Uninstallation
This threat can be uninstalled from the Programs and Features
panel:
Payload
Displays ads that you can't control
This program can show you extra ads. These advertisements would not be shown if this program wasn't installed on your PC.
Modifies registry settings without your consent
This threat changes your PC's DNS settings in the following registry entries to inject ads, thereby affecting or interrupting your browsing experience.
- In subkey: HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\
Sets value: "DhcpNameServer"
With data: "82.163.143.144,82.163.142.146"
- In subkey: HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\
Sets value: "DhcpNameServer"
With data: "82.163.143.144,82.163.142.146"
- In subkey: HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\
Sets value: "NameServer"
With data: "82.163.143.144,82.163.142.146"
Creates scheduled tasks without your consent
This threat also adds a scheduled task to ensure it is always running.
Analysis by: Jody KooLast update 05 January 2017
