Posted by: Amker
« on: 16. June 2007., 15:17:40 »The Adclicker-BJ trojan is designed to connect to the author's designated websites and redirect or pop-up banner advertisements. This is designed to make the trojan author money from a "click per view" scheme.
Characteristics -
Upon installation and execution, Adclicker-BJ creates the following folder and file:
C:\Program Files\Common Files\CPUSH\cpush.dll
The file cpush.dll is installed as a Browser Helper Object so that it will be run each time Internet Explorer is started.
The following registry keys are created:
HKEY_LOCAL_MACHINE\SOFTWARE\cpush
HKEY_LOCAL_MACHINE\SOFTWARE\Sohu R&D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_CLASSES_ROOT\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_CLASSES_ROOT\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
HKEY_CLASSES_ROOT\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
HKEY_CLASSES_ROOT\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}
HKEY_CLASSES_ROOT\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}
HKEY_CLASSES_ROOT\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}
HKEY_CLASSES_ROOT\NewAdPopup.PopupBlock
HKEY_CLASSES_ROOT\NewAdPopup.ToolbarDetector
HKEY_CLASSES_ROOT\NewMediasCoache.HELogic
HKEY_CLASSES_ROOT\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}
The following keys:
HKEY_CLASSES_ROOT\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32 "(Default)"
HKEY_CLASSES_ROOT\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32 "(Default)"
HKEY_CLASSES_ROOT\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32 "(Default)"
contain the following value :
C:\Program Files\Common Files\CPUSH\cpush.dll
This is so that the DLL file (cpush.dll) is also executed into memory after a reboot.
This trojan then attempts to connect to remote sites to generate clicks on banners and popups onto the victim's system.
Symptoms -
Presence of the file/folders/registry keys mentioned in the characteristics.
Outgoing HTTP connections bound to the following domains:
push.[removed].com
update.[removed].com
Method of Infection -
This trojan can be installed by visiting a malicious web pages. Alternatively, they may be downloaded by other viruses and/or Trojans to be installed on the user's system.
It can also be installed alongside bundled software downloaded from the internet.
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
McAfee
Characteristics -
Upon installation and execution, Adclicker-BJ creates the following folder and file:
C:\Program Files\Common Files\CPUSH\cpush.dll
The file cpush.dll is installed as a Browser Helper Object so that it will be run each time Internet Explorer is started.
The following registry keys are created:
HKEY_LOCAL_MACHINE\SOFTWARE\cpush
HKEY_LOCAL_MACHINE\SOFTWARE\Sohu R&D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_CLASSES_ROOT\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_CLASSES_ROOT\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
HKEY_CLASSES_ROOT\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
HKEY_CLASSES_ROOT\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}
HKEY_CLASSES_ROOT\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}
HKEY_CLASSES_ROOT\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}
HKEY_CLASSES_ROOT\NewAdPopup.PopupBlock
HKEY_CLASSES_ROOT\NewAdPopup.ToolbarDetector
HKEY_CLASSES_ROOT\NewMediasCoache.HELogic
HKEY_CLASSES_ROOT\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}
The following keys:
HKEY_CLASSES_ROOT\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32 "(Default)"
HKEY_CLASSES_ROOT\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32 "(Default)"
HKEY_CLASSES_ROOT\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32 "(Default)"
contain the following value :
C:\Program Files\Common Files\CPUSH\cpush.dll
This is so that the DLL file (cpush.dll) is also executed into memory after a reboot.
This trojan then attempts to connect to remote sites to generate clicks on banners and popups onto the victim's system.
Symptoms -
Presence of the file/folders/registry keys mentioned in the characteristics.
Outgoing HTTP connections bound to the following domains:
push.[removed].com
update.[removed].com
Method of Infection -
This trojan can be installed by visiting a malicious web pages. Alternatively, they may be downloaded by other viruses and/or Trojans to be installed on the user's system.
It can also be installed alongside bundled software downloaded from the internet.
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
McAfee