SOPICLICK


 ALIASES:

Microsoft: Refpron; Symantec: Sopiclick; McAfee: Refpron, Sopiclick; Sunbelt: Refpron, Sopiclick; Authentium: Koblu; Fortinet: Koblu; Fprot: Koblu; Ikarus: Refpron, Koblu; Eset: Refpron; Panda: Refpron

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

The SOPICLICK malware family arrives onto systems via the Internet. Its notable routines involve copying the legitimate file, %System%\urlmon.dll and saves it as %User Temp%\x1c{numbers}.dll. SOPICLICK is used a clicker in pay-per-click online advertisements.

This Trojan connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

  TECHNICAL DETAILS

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WBEM
UpdateNew = "{hex values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WBEM
uid = "unknow"

Download Routine

This Trojan connects to the following malicious URLs:

  • {BLOCKED}3.{BLOCKED}5.105.218
  • {BLOCKED}4.{BLOCKED}3.126.2.4
  • {BLOCKED}4.{BLOCKED}3.72.250
  • {BLOCKED}4.{BLOCKED}7.57.154
  • {BLOCKED}4.{BLOCKED}0.176.66
  • {BLOCKED}4.{BLOCKED}1.44.5
  • {BLOCKED}4.{BLOCKED}1.44.8
  • {BLOCKED}4.{BLOCKED}9.86.26
  • {BLOCKED}6.{BLOCKED}6.221.101
  • {BLOCKED}4.{BLOCKED}4.201.210
  • {BLOCKED}4.{BLOCKED}5.37.210
  • {BLOCKED}kq.com
  • {BLOCKED}bits.com
  • {BLOCKED}vity.com
  • {BLOCKED}vest.com