Home / malwarePDF  

Win32/NightClick


First posted on 14 September 2016.
Source: Microsoft

Aliases :

There are no other names known for Win32/NightClick.

Explanation :

Installation
We have seen this threat distributed by software bundlers such as InstallMonster. It usually arrives from users browsing the web and downloading installers advertising free movies, games, applications, music, or TV shows. It installs into the following folders:

  • %ProgramData%\boulderbroker\
  • %ProgramData%\inetpc\
  • %ProgramData%\sitebroker\
  • %ProgramData%\windfind\
  • %ProgramData%\windriveuse\
  • %ProgramData%\winfielduse\
  • %ProgramData%\winhostuse\
  • %ProgramData%\Winmnt\
  • %ProgramData%\winnetinit\
  • %ProgramData%\winnetlog\
  • %ProgramData%\winnetmng\
  • %ProgramData%\winnetuse\
  • %ProgramData%\winrange\
  • %ProgramData%\winrate\
  • %ProgramData%\winraw\
  • %ProgramData%\winrouted\
  • %ProgramData%\winrule\
  • %ProgramData%\winstage\
  • %ProgramData%\winstateuse\
  • %ProgramData%\winwalluse\
  • %ProgramData%\winwebuse\
It also creates multiple files in the abovementioned folders, such as:
  • %ProgramData%\windfind\WinDFind.exe
  • %ProgramData%\windfind\WinDFind_.exe
  • %ProgramData%\windfind\winfindtask.exe
  • %ProgramData%\windfind\winfindtask_.exe
  • %ProgramData%\windfind\WinFindSync.exe
  • %ProgramData%\windfind\WinFindSync_.exe
This trojan clicker also registers three services on each machine, for example in one version it uses the following display names:
  • "Window Find Manager Update"
  • "Window Find Manager"
  • "Window Find Manager2"
And these sevices are set up to run the following commands:

In subkey: HKLM\SYSTEM\ControlSet001\services\windfindServiceUpd\
Sets value: "ImagePath"
With data: "C:\Program Files (x86)\windfind\updservice.exe"

In subkey: HKLM\SYSTEM\ControlSet001\services\WinFindSvc\
Sets value: "ImagePath"
With data: "C:\Program Files (x86)\WinFindSync.exe"

In subkey: HKLM\SYSTEM\ControlSet001\services\WinFindSvc2\
Sets value: "ImagePath"
With data: "C:\Program Files (x86)\WinFindSync_.exe"



Payload

Clicks on advertisements

This trojan can use your PC to click on online advertisements without your permission or knowledge.

A malicious hacker can earn money out of these clicks by stealing advertising funds from advertisers or to make websites appear more popular.

Connects to a remote host

We have seen this threat connect to a remote host, such as the following Command and Control (C & C) servers:
  • booerak.net/update.exe
  • rangesoft.org
Malware can connect to a remote host to do any of the following:
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker




Analysis by Geoff McDonald

Last update 14 September 2016

 

TOP

Malware :