Home / malware TrojanClicker:Win32/Clikug.D
First posted on 15 February 2019.
Source: MicrosoftAliases :
TrojanClicker:Win32/Clikug.D is also known as Hyper Browser, Idle Crawler.
Explanation :
Installation
We have seen TrojanClicker:Win32/Clikug.D installed by other malware and unwanted software. It can also be downloaded by software bundlers that install clean applications.
The image below shows an example of a software bundler that installs TrojanClicker:Win32/Clikug.D at the same time as other applications. We detect this installer as TrojanDownloader:Win32/Clikug.A and SoftwareBundler:Win32/OxyPumper:
We have also seen it advertising an MP3 music download:
TrojanClicker:Win32/Clikug.D installs itself to the following folders:
%APPDATA% GCC %APPDATA% Idle~_~Crawler %APPDATA% Idle~.~Crawler %APPDATA% Idle~Crawler %APPDATA% Idle-Crawler %APPDATA% Idle_Crawler %APPDATA% IdleCrawler %APPDATA% Hyper - Browser %APPDATA% Hyper Browser
The trojan creates a scheduled task so that is runs regularly:
TasksGC_Scheduler Tasks Runner Tasks Update
Wherename can be one of the following:
Hyper Browser Idle Crawler
A significant amount of disk space might be used by TrojanClicker:Win32/Clikug.D in the following directory. It is used to hold temporary Chrome browser profiles and extensions used for crawling:
%TEMP% GCProfiles
An uninstall entry is added under the display name “GigaClicks Crawler” with no developer information. Similar entries may be present for the TrojanClicker:Win32/Clikug.D names, "Hyper Browser" and "Idle Crawler". Running the uninstaller might remove the threat from your PC:
Payload
Performs click fraud
This threat can use your PC for click fraud.
We have seen it using as much as 1 GB of bandwidth per hour - this can severely impact the speed of your Internet connection as well as lead to excess data usage charges from your Internet service provider.
Analysis by Geoff McDonaldLast update 15 February 2019
