Members
  • Total Members: 12818
  • Latest: martin
Stats
  • Total Posts: 28535
  • Total Topics: 8240
  • Online Today: 980
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: AdClicker-BJ  (Read 1693 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1081
  • KARMA: 22
  • Gender: Male
    • SCforum.info
AdClicker-BJ
« on: 16. June 2007., 15:17:40 »
The Adclicker-BJ trojan is designed to connect to the author's designated websites and redirect or pop-up banner advertisements. This is designed to make the trojan author money from a "click per view" scheme.
Characteristics -


Upon installation and execution,  Adclicker-BJ creates the following folder and file:
C:\Program Files\Common Files\CPUSH\cpush.dll

The file cpush.dll is installed as a Browser Helper Object so that it will be run each time Internet Explorer is started.

The following registry keys are created:
HKEY_LOCAL_MACHINE\SOFTWARE\cpush
HKEY_LOCAL_MACHINE\SOFTWARE\Sohu R&D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_CLASSES_ROOT\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_CLASSES_ROOT\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
HKEY_CLASSES_ROOT\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
HKEY_CLASSES_ROOT\Interface\{0AD3AB16-6D0E-4F04-8660-FB1F36BC2DC0}
HKEY_CLASSES_ROOT\Interface\{2F685B36-C53A-4653-9231-1DAE5736DE45}
HKEY_CLASSES_ROOT\Interface\{50C4CDD9-22D7-49FF-AC6D-7D4D528A3AB2}
HKEY_CLASSES_ROOT\NewAdPopup.PopupBlock
HKEY_CLASSES_ROOT\NewAdPopup.ToolbarDetector
HKEY_CLASSES_ROOT\NewMediasCoache.HELogic
HKEY_CLASSES_ROOT\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}

 

The following keys:
HKEY_CLASSES_ROOT\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32 "(Default)"
HKEY_CLASSES_ROOT\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32 "(Default)"
HKEY_CLASSES_ROOT\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32 "(Default)"

contain the following value :
C:\Program Files\Common Files\CPUSH\cpush.dll

This is so that the DLL file (cpush.dll) is also executed into memory after a reboot.

 

This trojan then attempts to connect to remote sites to generate clicks on banners and popups onto the victim's system.

 

 
Symptoms -


Presence of the file/folders/registry keys mentioned in the characteristics.

Outgoing HTTP connections bound to the following domains:
push.[removed].com
update.[removed].com

 

 
Method of Infection -


This trojan can be installed by visiting a malicious web pages.  Alternatively, they may be downloaded by other viruses and/or Trojans to be installed on the user's system.

It can also be installed alongside bundled software downloaded from the internet.
Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

McAfee
# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info

AdClicker-BJ
« on: 16. June 2007., 15:17:40 »




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising