McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This Trojan lowers internet security settings, adds itself to firewall exclusion policies and downloads multiple adwares.

It adds itself to Add Remove Program with the names "Block-checker 1.0" and "System Process". If the user tries to uninstall "System Process", this Trojan attempts to download various adwares on the system. This is related to Block-Checker.com.

Upon installation the program it displays EULA. The privacy policy is located at

http://www.system-processes.com/liscense.php .

It is observed to contact the following sites apart from various other
adware sites that it downloads.

• www.spootie.com
• www.system-processes.com
• www.block-checker.com

System Changes

Adds the following domains to the following key with the default value of 0x00000001, so that they are always allowed.

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\P3P\History\

• tkqlhce.com
• qksrv.net
• linksynergy.com
• kqzyfj.com
• jdoqocy.com
• fastclick.net
• fastclick.com
• dpbolvw.net
• commission-junction.com
• cc-dt.com
• bfast.com
• anrdoezrs.net
  

Files Added

• %SystemDir%\navshext.dll (49 KB)
  
• %SystemDir%\ccapp.exe (16 KB)
  
• c:\program files\block checker\uninstall.exe (63 KB)
  
• c:\program files\block checker\setup_finish.exe (16 KB)
  
• c:\program files\block checker\setup.log (2 KB)
  
• c:\program files\block checker\csrss.exe (28 KB)
  
• c:\program files\block checker\block-checker.exe (48 KB)
  
• c:\program files\block checker\block checker.exe (704 KB)
  
• c:\documents and settings\all users\start menu\programs\block checker\block checker\block checker.lnk (1 KB)
  
• c:\documents and settings\administrator\
  application data\microsoft\internet explorer\quick launch\block checker.lnk (1 KB)
  

Registry

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Run\BlockChecker: "C:\Program Files\Block Checker\block-checker.exe
  
• HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}\InProcServer32
  "ThreadingModel"="Apartment"
  
• HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}\InProcServer32
  "(default)"="C:\WINDOWS\System32\navshext.dll"
  
• HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
  "default"="System Process"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\SharedDLLs\C:\Program Files\Block Checker\block-checker.exe: 0x00000001
  
• HKEY_LOCAL_MACHINE\SOFTWARE\System Process\ModId: "3"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\System Process\Started: 0x00000001
  
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\
  StandardProfile\AuthorizedApplications\List\%windir%\system32\ccapp.exe: "%windir%\system32\ccapp.exe:*:Enabled:System Process"
  
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SharedAccess\Parameters\FirewallPolicy\
  StandardProfile\AuthorizedApplications\List\%windir%\system32\ccapp.exe: "%windir%\system32\ccapp.exe:*:Enabled:System Process"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.system-processes.com:
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Uninstall\Startup"UninstallString"
  ="C:\WINDOWS\System32\ccapp.exe"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Uninstall\Startup"DisplayName"
  ="System Process"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion \Uninstall\Block Checker
  "UninstallString"=""C:\Program Files\Block Checker\uninstall.exe""
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion \Uninstall\Block Checker
  "DisplayName"="Block Checker 1.0"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\SharedDLLs "C:\Program Files\Block Checker\block-checker.exe"="1"
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
  "LastDate"=""
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
  "DaysToClear"="0"
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
  "LastDate"=""
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
  "DaysToClear"="0"
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL
  "LastDate"=""
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL
  "DaysToClear"="0"

Symptoms

Presence of aforementioned files and registry keys.

Method of Infection

N/A This is not a virus or trojan.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This Trojan lowers internet security settings, adds itself to firewall exclusion policies and downloads multiple adwares.

It adds itself to Add Remove Program with the names "Block-checker 1.0" and "System Process". If the user tries to uninstall "System Process", this Trojan attempts to download various adwares on the system. This is related to Block-Checker.com.

Upon installation the program it displays EULA. The privacy policy is located at

http://www.system-processes.com/liscense.php .

It is observed to contact the following sites apart from various other
adware sites that it downloads.

• www.spootie.com
• www.system-processes.com
• www.block-checker.com

System Changes

Adds the following domains to the following key with the default value of 0x00000001, so that they are always allowed.

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\P3P\History\

• tkqlhce.com
• qksrv.net
• linksynergy.com
• kqzyfj.com
• jdoqocy.com
• fastclick.net
• fastclick.com
• dpbolvw.net
• commission-junction.com
• cc-dt.com
• bfast.com
• anrdoezrs.net
  

Files Added

• %SystemDir%\navshext.dll (49 KB)
  
• %SystemDir%\ccapp.exe (16 KB)
  
• c:\program files\block checker\uninstall.exe (63 KB)
  
• c:\program files\block checker\setup_finish.exe (16 KB)
  
• c:\program files\block checker\setup.log (2 KB)
  
• c:\program files\block checker\csrss.exe (28 KB)
  
• c:\program files\block checker\block-checker.exe (48 KB)
  
• c:\program files\block checker\block checker.exe (704 KB)
  
• c:\documents and settings\all users\start menu\programs\block checker\block checker\block checker.lnk (1 KB)
  
• c:\documents and settings\administrator\
  application data\microsoft\internet explorer\quick launch\block checker.lnk (1 KB)
  

Registry

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Run\BlockChecker: "C:\Program Files\Block Checker\block-checker.exe
  
• HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}\InProcServer32
  "ThreadingModel"="Apartment"
  
• HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}\InProcServer32
  "(default)"="C:\WINDOWS\System32\navshext.dll"
  
• HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
  "default"="System Process"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\SharedDLLs\C:\Program Files\Block Checker\block-checker.exe: 0x00000001
  
• HKEY_LOCAL_MACHINE\SOFTWARE\System Process\ModId: "3"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\System Process\Started: 0x00000001
  
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\
  StandardProfile\AuthorizedApplications\List\%windir%\system32\ccapp.exe: "%windir%\system32\ccapp.exe:*:Enabled:System Process"
  
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SharedAccess\Parameters\FirewallPolicy\
  StandardProfile\AuthorizedApplications\List\%windir%\system32\ccapp.exe: "%windir%\system32\ccapp.exe:*:Enabled:System Process"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.system-processes.com:
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Uninstall\Startup"UninstallString"
  ="C:\WINDOWS\System32\ccapp.exe"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\Uninstall\Startup"DisplayName"
  ="System Process"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion \Uninstall\Block Checker
  "UninstallString"=""C:\Program Files\Block Checker\uninstall.exe""
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion \Uninstall\Block Checker
  "DisplayName"="Block Checker 1.0"
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
  Windows\CurrentVersion\SharedDLLs "C:\Program Files\Block Checker\block-checker.exe"="1"
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
  "LastDate"=""
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
  "DaysToClear"="0"
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
  "LastDate"=""
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
  "DaysToClear"="0"
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL
  "LastDate"=""
  
• HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL
  "DaysToClear"="0"

Symptoms

Symptoms -

Presence of aforementioned files and registry keys.

Method of Infection

Method of Infection -

N/A This is not a virus or trojan.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A