Trojan.Click1.44064

Trojan.Click1.44064

Added to the Dr.Web virus database: 2011-06-18

Virus description added: 2011-06-18

Technical Information

Malicious functions:

Executes the following:

<SYSTEM32>\ping.exe 127.0.0.1 -n 3
%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE http://www.21#7.cn/?ne####

Modifies file system :

Creates the following files:

%HOMEPATH%\Favorites\【淘宝风云榜】.url
%HOMEPATH%\Favorites\【疯狂购物】.url
%HOMEPATH%\Favorites\【当当商城】.url
%HOMEPATH%\Favorites\【淘宝特卖】.url
%HOMEPATH%\Favorites\在线网游.url
%HOMEPATH%\Favorites\实用查询.url
%HOMEPATH%\Favorites\【网址导航】.url
%HOMEPATH%\Favorites\【美容秘籍】.url
%HOMEPATH%\Favorites\【台湾美食】.url
%TEMP%\aut14.tmp
%PROGRAM_FILES%\TheWorld3\2\百度.url
%TEMP%\aut13.tmp
%PROGRAM_FILES%\TheWorld3\2\电视直播.url
%HOMEPATH%\Favorites\【凡客诚品】.url
%HOMEPATH%\Favorites\【卓越特价商城】.url
%TEMP%\aut15.tmp
%PROGRAM_FILES%\TheWorld3\2\系统下载.url
%HOMEPATH%\Favorites\家居玩具.url
%TEMP%\aut16.tmp
%TEMP%\aut17.tmp
%ALLUSERSPROFILE%\Start Menu\Programs\世界之窗浏览器.txt
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\世界之窗浏览器.txt
%TEMP%\aut1A.tmp
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\69I9OPW5\2127[1]
%TEMP%\aut18.tmp
%TEMP%\aut19.tmp
%ALLUSERSPROFILE%\Start Menu\世界之窗浏览器.txt
%HOMEPATH%\Favorites\游戏下载.url
%HOMEPATH%\Favorites\电视直播.url
%HOMEPATH%\Favorites\家电商城.url
%HOMEPATH%\Favorites\淘宝网.url
C:\世界之窗浏览器.lnk
%ALLUSERSPROFILE%\Desktop\世界之窗浏览器.txt
%HOMEPATH%\Favorites\百度.url
%HOMEPATH%\Favorites\系统下载.url
%PROGRAM_FILES%\TheWorld3\2\游戏下载.url
%PROGRAM_FILES%\TheWorld3\2\【台湾美食】.url
%TEMP%\aut7.tmp
%PROGRAM_FILES%\TheWorld3\2\【卓越特价商城】.url
%TEMP%\aut6.tmp
%PROGRAM_FILES%\TheWorld3\2\【淘宝特卖】.url
%TEMP%\aut9.tmp
%PROGRAM_FILES%\TheWorld3\2\【当当商城】.url
%TEMP%\aut8.tmp
%TEMP%\aut5.tmp
%TEMP%\aut2.tmp
%PROGRAM_FILES%\TheWorld3\世界之窗.ini
%TEMP%\aut1.tmp
%PROGRAM_FILES%\TheWorld3\世界之窗.exe
%TEMP%\aut4.tmp
%PROGRAM_FILES%\TheWorld3\2\【凡客诚品】.url
%TEMP%\aut3.tmp
%PROGRAM_FILES%\TheWorld3\2\favorder3.dat
%PROGRAM_FILES%\TheWorld3\2\【淘宝风云榜】.url
%PROGRAM_FILES%\TheWorld3\2\家居玩具.url
%TEMP%\aut10.tmp
%PROGRAM_FILES%\TheWorld3\2\实用查询.url
%TEMP%\autF.tmp
%PROGRAM_FILES%\TheWorld3\2\淘宝网.url
%TEMP%\aut12.tmp
%PROGRAM_FILES%\TheWorld3\2\家电商城.url
%TEMP%\aut11.tmp
%TEMP%\autE.tmp
%TEMP%\autB.tmp
%PROGRAM_FILES%\TheWorld3\2\【网址导航】.url
%TEMP%\autA.tmp
%PROGRAM_FILES%\TheWorld3\2\【疯狂购物】.url
%TEMP%\autD.tmp
%PROGRAM_FILES%\TheWorld3\2\在线网游.url
%TEMP%\autC.tmp
%PROGRAM_FILES%\TheWorld3\2\【美容秘籍】.url

Sets the 'hidden' attribute to the following files:

%PROGRAM_FILES%\TheWorld3\世界之窗.ini

Deletes the following files:

%TEMP%\aut11.tmp
%TEMP%\aut12.tmp
%TEMP%\aut13.tmp
%TEMP%\autE.tmp
%TEMP%\autF.tmp
%TEMP%\aut10.tmp
%TEMP%\aut14.tmp
%TEMP%\aut18.tmp
%TEMP%\aut19.tmp
%TEMP%\aut1A.tmp
%TEMP%\aut15.tmp
%TEMP%\aut16.tmp
%TEMP%\aut17.tmp
%TEMP%\aut4.tmp
%TEMP%\aut5.tmp
%TEMP%\aut6.tmp
%TEMP%\aut1.tmp
%TEMP%\aut2.tmp
%TEMP%\aut3.tmp
%TEMP%\aut7.tmp
%TEMP%\autB.tmp
%TEMP%\autC.tmp
%TEMP%\autD.tmp
%TEMP%\aut8.tmp
%TEMP%\aut9.tmp
%TEMP%\autA.tmp

Deletes itself.

Network activity:

Connects to:

'www.21#7.cn':80
'th#.#0440.cn':80
'localhost':1037
'localhost':1038

TCP:

HTTP GET requests:

th#.#0440.cn/Count.asp?ma###################################################
www.21#7.cn/?ne####

UDP:

DNS ASK th#.#0440.cn
DNS ASK www.21#7.cn

Miscellaneous:

Searches for the following windows:

ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebcheckMonitor' WindowName: ''
ClassName: '' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

Technical Information

Curing recommendations

Free trial