Virus:TR/Click.VB.PF
Date discovered:12/09/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:22.528 Bytes
MD5 checksum:9fb4d2300fafec7989db659fbf73ac8a
VDF version:6.35.01.215
IVDF version:6.35.01.219 - Wednesday, September 13, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan-Clicker.Win32.VB.pf
   •  TrendMicro: TROJ_VB.BKM
   •  F-Secure: Trojan-Clicker.Win32.VB.pf
   •  Grisoft: Clicker.CWG
   •  Eset: Win32/TrojanClicker.VB.OO


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Drops a file
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %WINDIR%\Services.exe



The following file is created:

%malware execution directory%\killme.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download some files:

– The location is the following:
   • www.sou15.com/fowfly/**********
It is saved on the local hard drive under: %temporary internet files%\IeFavorites.txt

– The location is the following:
   • www.sou15.com/fowfly/**********
It is saved on the local hard drive under: %temporary internet files%\adset.txt

– The location is the following:
   • www.sou15.com/fowfly/**********
It is saved on the local hard drive under: %temporary internet files%\adlist.txt This file may contain further download locations and might serve as source for new threats.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Services"="%WINDIR%\Services.exe"



The following registry keys are added:

– [HKCU\Software\Microsoft\Internet Explorer\International]
   • @=""
   • "W2KLpk"=dword:00000001

– [HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
   • "Enable"=dword:00000001
   • "Size"=dword:0000000a
   • "InitHits"=dword:00000064
   • "Factor"=dword:00000014

 Backdoor Contact server:
The following:
   • www.sou15.com/fowfly/**********

As a result it may send some information.

Sends information about:
    • Computer name
    • Current malware status

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASPack

Description inserted by Adriana Popa on Thursday, October 12, 2006
Description updated by Adriana Popa on Thursday, October 12, 2006

Back . . . .