Virus:TR/Click.AU
Date discovered:28/09/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:11.109 Bytes
MD5 checksum:e87f0271ce34b9f9491b6fd95c2e14a4
VDF version:6.36.00.60
IVDF version:6.36.00.73 - Monday, October 2, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Downloader-AYN
   •  Kaspersky: Trojan-Downloader.Win32.Nurech.c
   •  TrendMicro: PAK_Generic.002
   •  F-Secure: W32/Small.DUU
   •  Sophos: Troj/Dloadr-ANX
   •  Eset: Win32/TrojanDownloader.Agent.NHA


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\upnp.exe




It tries to download a file:

– The location is the following:
   • http://www.zxcvz.com/**********
It is saved on the local hard drive under: %temporary internet files%\Content.IE5\%randomly chosen directory%\c.php Furthermore this file gets executed after it was fully downloaded. This file may contain further download locations and might serve as source for new threats.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "np"="%SYSDIR%\upnp.exe"



The following registry keys are added:

– [HKCU\Software\unker]
– [HKCU\Software\unker\%executed file%]
– [HKCU\Software\unker\%executed file%\main]
   • "cid"=%hex values%

– [HKCU\Software\unker\upnp]
– [HKCU\Software\unker\upnp\main]
   • "cid"=%hex values%

 Backdoor Contact server:
The following:
   • http://www.zxcvz.com/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Current malware status

 Miscellaneous Mutex:
It creates the following Mutex:
   • ewffefewfwjioIJOJIojioerjiogryivctyxrtio

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Monica Ghitun on Thursday, September 28, 2006
Description updated by Adriana Popa on Friday, November 17, 2006

Back . . . .