Virus:TR/Click.VB.FO
Date discovered:02/10/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:79.872 Bytes
MD5 checksum:c3c8b6dac9c0a0cd27c3edf1822ed786
VDF version:6.36.00.71
IVDF version:6.36.00.86 - Monday, October 9, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Clicker.Win32.VB.fo
   •  F-Secure: Trojan-Clicker.Win32.VB.fo
   •  Grisoft: Clicker.DCK
   •  Eset: Win32/TrojanClicker.VB.FO


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops malicious files
   • Registry modification

 Files The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\temp.reg

%SYSDIR%\WinVer.ini
%SYSDIR%\wmpStatus.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.VB.DT.2

%malware execution directory%\a.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%WINDIR%\svchost.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.VB.DT.1.B

%WINDIR%\boot.ini Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Agent.VP.2

%WINDIR%\userinit.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.Agent.VP.2

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\Netwscsvc]
   • "Type"=dword:00000120
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"=%WINDIR%\svchost.exe
   • "DisplayName"="Network wscsvc sharedaccess Service"
   • "ObjectName"="LocalSystem"
   • "Description"="???????????"

– [HKLM\SYSTEM\CurrentControlSet\Services\Netwscsvc\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\Netwscsvc\Enum]
   • "0"="Root\\LEGACY_NETWSCSVC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001



The following registry key is changed:

– [HKCU\Software\Microsoft\Internet Explorer\International]
   Old value:
   • "AcceptLanguage"=%user defined settings%
   New value:
   • "AcceptLanguage"="zh-cn"

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Adriana Popa on Thursday, October 5, 2006
Description updated by Adriana Popa on Monday, October 9, 2006

Back . . . .