(Trojan-Clicker.Win32.VB.bjk TR/Click.VB.bjk Win32/TrojanClicker.VB.BJK trojan
)
Symptoms
- task manager or antivirus software doesn't work
- unrequested internet traffic
- presence of the files and registry entries mentioned below
Removal instructions:
Delete the aforementioned files and registry keys; In order to delete the file debug.exe you need to kill the process first. You can do this by running the following command: taskkill /IM debug.exe /F.
Analyzed By
Deac Razvan-Ioan, virus researcher
Technical Description:
When the malware starts it creates files in the following locations:
%windir%\system32\debug.exe%windir%\system32\drivers\beep.sysrandom named files such as
c:\000F443C\1000516
The file beep.sys is registered as a windows service; the following registry keys ar created:
HKLM\System\CurrentControlSet\Services\Beep\TypeHKLM\System\CurrentControlSet\Services\Beep\StartHKLM\System\CurrentControlSet\Services\Beep\ImagePathHKLM\System\CurrentControlSet\Services\Beep\DisplayNameThe malware disables the task manager by creating the following registry key:
SoftWare\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Debugger ntsd -d
Similar registry keys are created in order to disable antivirus software too.
After this installation the original file deletes itself by creating and starting a .bat file created for this purpose.
The purpose of the malware is to download and run other malicious software on the user's machine. In order to do so, it downloads a list of url's from locations such as:
http://www.gucc?????prada.txthttp://www.ball??????prada.txt The downloaded lists are located in random named files (
c:\000f60e9\1010983) and look like this:
36http://0.0o-??????/zip1.exehttp://0.0o-??????/zip2.exehttp://0.0o-??????/zip3.exehttp://0.0o-??????/zip4.exe.............The files downloaded from these lists generally belong to the
Trojan.PWS.OnlineGames family and are used to steal account information for certain online games.
SHARE
THIS ON