TROJ_CLICKR.AP

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Application Data%\update.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
update.exe = "%Application Data%\update.exe"

Other System Modifications

This Trojan modifies the following file(s):

• %System%\drivers\etc\hosts

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UACDisableNotify = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

Other Details

This Trojan connects to the following possibly malicious URL:

• {BLOCKED}a.{BLOCKED}at.dns05.com
• {BLOCKED}p.{BLOCKED}at.dns05.com
• {BLOCKED}n.{BLOCOKED}at.dns05.com
• {BLOCKED}a.{BLOCKED}at.dns05.com
• {BLOCKED}r.{BLOCKED}at.dns05.com
• {BLOCKED}a.{BLOCKED}at.dns05.com
• {BLOCKED}n.{BLOCKED}at.dns05.com