A forum for reverse engineering, OS internals and malware analysis 

Trojan:Win32/Clicker

Forum for analysis and discussion about malware.

Trojan:Win32/Clicker

 #8983  by Cody Johnston
 Thu Oct 06, 2011 2:48 am
Win32.Jorik.Fraud.Epe (named by Kaspersky)

I have seen a few of these ITW over the past few days and seems that more and more keep coming...

Dropper in attach

MD5: 162ddeb71bf7f5f65ad83a92144c6a37

http://virusscan.jotti.org/en/scanresul ... 2c72bbd194
Attachments
Password: malware
(147.96 KiB) Downloaded 55 times

Re: Trojan.Win32.Jorik.Shiz.hx

 #9033  by EP_X0FF
 Sat Oct 08, 2011 7:46 am
TeamRocketOps wrote:Win32.Jorik.Fraud.Epe (named by Kaspersky)

I have seen a few of these ITW over the past few days and seems that more and more keep coming...

Dropper in attach

MD5: 162ddeb71bf7f5f65ad83a92144c6a37

http://virusscan.jotti.org/en/scanresul ... 2c72bbd194

This is Trojan Clicker. Runs via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
In attach decrypted payload dll it injects into browsers. Hooks several WSA API's in target process (recv, send, WSARecv, WSASend).
ubAffId FeedCap FeedTime wb AffId=%s
Server1=%s
Server2=%s
StatsServer1=%s
StatsServer2=%s
Backup1=%s
Backup2=%s
SubAffId%i=%s
FeedCap%i=%i
FeedTime%i=%i
hxxp://getcarforfree.com/search.php?q=%s hxxp://foodformyhealth.com/search.php?q=%s hxxp://mybabyill.com/search.php?q=%s Weights Minimums ClickThrough SID 1.55 Version=%s&Feed=%i&URL=%s Content-Type: application/x-www-form-urlencoded c7JkRvlsOO2Z4ylpKHdv3Fb4 hxxp://xml.click9.com/feed.php?aid=6084&sid=%s&auth=f183dc6758907e5106e7f67e9b15cd8f&ip=CLIENT_IP&q=%s&num=20&ref=%s&useragent=%s record bid clickurl url title hxxp://feed.peakclick.com/res.php?aff=21822&subaff=%s&ip=CLIENT_IP&keyword=%s&xml=1&ua=%s&ref=%s result click hxxp://74.50.117.107/xml?a=%s&ua=%s&kw=%s&ip=CLIENT_IP ref img Referer: %s
hxxp://88.208.32.19/xmlfeed.php?aid=Crabalocker&ip=CLIENT_IP&q=%s&ua=%s&n=1&al=%s&hxxp-ref=%s&said=%s hxxp://daoxml.com/xmlfeed.php?aid=5452&said=%s&ip=CLIENT_IP&q=%s&ref=%s&ua=%s&n=5&al=%s&hxxp-ref=%s hxxp://xml.feedbank.net/feed/?aid=32186&said=%s&ip=CLIENT_IP&q=%s&ref=%s&l=%s&auth=g3cwj85t24&qr=10&ua=%s hxxp://xml.xmlheads.com/feed/?aid=202048&said=%s&ip=CLIENT_IP&q=%s&ref=%s&l=%s&auth=qvospnv2se&qr=10 hxxp://feed.magicfeed.com:8180/feed/feed?aid=1738&said=%s&ip=CLIENT_IP&q=%s&ref=%s&useragent=%s hxxp://s.valary.com/feed.valary?partner=56712&ip=CLIENT_IP&site=%s&ua=%s&results=10&keyword=%s results item site hxxp://xml.umaxfeed.com/xmlfeed.php?aid=97983&said=%s&ip=CLIENT_IP&q=%s&ref=%s&l=en-us&auth=5zguxyd798&ua=%s hxxp://xml.klikvip.com/xml.php?aff=41082&saff=%s&ip=CLIENT_IP&q=%s&ref=%s&st=link&n=10&useragent=%s&realref=%s&lang=%s hxxp://xml.admanage.com/xml/?fid=57344&keywords=%s&user_ip=CLIENT_IP&ua=%s&serve_url=%s listings listing host hxxp://t.xmlppc.com/index.php?pad=4174&sub=%s&search=%s&version=xml&userip=CLIENT_IP&referrer=%s&useragent=%s&numres=10&related=1&popular=1 domain descr hxxp://xml.goldresults.net/?aid=487&auth=cc095fa7a8&q=%s&ip=CLIENT_IP&ua=%s&ref=%s&said=%s&count=10 hxxp://feed.bizzclick.com/feed.php?aid=1481&sid=%s&auth=060fd6eb0a24ae6378fa098da0e97827&keyword=%s&ip=CLIENT_IP&referer=%s&useragent=%s durl hxxp://clickicexmlfeed.com/xml/xml.php?aff=817&saff=%s&ip=CLIENT_IP&q=%s&ref=%s&st=typein&n=10&useragent=%s&lang=%s
Attachments
pass: malware
(69.99 KiB) Downloaded 48 times
 Return to “Malware”