Trojan.Clicker.Agent.NP
VERY LOW
VERY LOW
4672
()
Symptoms
Presence of HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC registry key with an UID as default value.
Presence of unexpected network connection to the 65.243.x.x host.
The file after executing deletes itself.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Suiu Andrei, virus researcher
Technical Description:
The trojan obtains an unique UUID on computer which on it executes and sends it as a string using GET method to an PHP script located on an internet server. It creates an URL like this:
http://65.243.x.x/trafc-2/rfe.php?cmp=tekcookon&uid=[obtained UUID]&version=1.0&lid=[first/third]
After it the virus deletes itself using command interpreter obtained from COMSPEC environment variable, executing the command "del [virus_pathname]", so user may observe one more process created by the trojan with name "cmd.exe".
SHARE
THIS ON