Agent trojan Click Tools: Trojan-Clicker.Win32.Agent.dca

Risk level: Medium

virus Description

The virus sample size “195,584 bytes”,  icon “” , virus extension “exe”, it is mainly through the “file bundle”, “web page linked to horse”, “download tool to download” ways to spread , The main purpose is to use a browser to access the hacker designated site, and intermittent click on the ads. After the user’s computer was infected, there will be computer and network running  Slow.

Infection in the operating system
Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual Solution:

1, manually delete the following files:
% Documents and Settings% \ ADMINI ~ 1 \ LOCALS ~ 1 \ Temp \ Cookies \ index.dat
% SystemRoot% \ dxplore.exe ”

2, manually delete the following Registry key:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run -> “Document explorer” = “C: \ WINDOWS \ dxplore.exe? LC: \ WINDOWS \ dxplore.exe
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run -> NULL = NULL

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”

Analysis of the virus

1. To create links to port 1605 socket;
2. Open the% SystemRoot% \ WindowsShell.Manifest file. Trojan monitors the process to create the process itself;
3. For the% Documents and Settings% \ Administrator \ Local Settings under History; Temporary; and the properties of a series of operations IE5.0;
4. Create the file% Documents and Settings% \ ADMINI ~ 1 \ LOCALS ~ 1 \ Temp \ Cookies \ index.dat;
5 create the file% SystemRoot% \ dxplore.exe “and then replaced with copies of the way to talk about Trojan copies itself deplore.exe;
7. To create the registry startup key HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run -> “Document explorer” = “C: \ WINDOWS \ dxplore.exe? LC: \ WINDOWS \ dxplore.exe” and HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run -> NULL = NULL;
8. Norcox.com connecting to a remote network and from the “http://norcox.com/meet/rss.php?source=ag & just = px download% SystemRoot% \ dxsplor.tst to the local and set the property to hide the running at the same time dxsplor.tst be replaced with dxplore.exe;
9. Access 193.218.156.30:80 download the file to% Documents and Settings% \ ADMINI ~ 1 \ LOCALS ~ 1 \ Temp \ TemporaryInternet Files \ Content.IE5 \ CVG181MX \ rss [1]. Php hijacked browser at startup load itself;

Virus to create a file:

% Documents and Settings% \ ADMINI ~ 1 \ LOCALS ~ 1 \ Temp \ Cookies \ index.dat
% SystemRoot% \ dxplore.exe ”

Virus to create the registry:

HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run -> “Document explorer” = “C: \ WINDOWS \ dxplore.exe? LC: \ WINDOWS \ dxplore.exe
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run -> NULL = NULL