Content

AdClicker-EJ

Type
Trojan
SubType
Discovery Date
05/17/2006
Length
Varies
Minimum DAT
4764 (05/17/2006)
Updated DAT
5468 (12/18/2008)
Minimum Engine
5.1.00
Description Added
05/17/2006
Description Modified
05/22/2006 9:06 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Variants of this trojans are designed to connect to the author's designated websites and redirect or pop-up banner advertisements. This is designed to make the trojan author money from a "click per view" scheme.

Silent Installation

Variants of this trojan are known to be installed via browser exploits such as JS/Exploit-HelpXSite requiring little or no user interaction. It utilizes a vulnerability in Internet Explorer that will download and execute the AdClicker-EJ.dr trojan.

Details of the JS/Exploit-HelpXSite trojan are availability at:

Dynamic Tasks

Upon installation and execution, AdClicker-EJ communicates with the author's website for updates and instructions. It may perform the following tasks upon command:

  • Install updates or new trojans
  • Reconfigure the browser start page
  • Redirect browser URLs to advertising websites based on typed-in keywords
  • Pop-up banner advertisements

At the time of writing, some of the advertising sites used by this trojan are:

  • www.9[hidden]qq.com
  • [hidden].265.com
  • [hidden].3721.com
  • sex.happy[hidden].com
  • sms.se[hidden]hu.com
  • www.ok[hidden]9.com
  • www.x9[hidden]x.com
  • film.15[hidden]dy.com

 

Symptoms

Presence of one or more of the following file(s):

  • %SystemRoot%\System32\FileUpdate.exe (AdClicker-EJ)
  • %SystemRoot%\System32\HelperService.dll (AdClicker-EJ)
  • %SystemRoot%\System32\PopService.exe (AdClicker-EJ)
  • %SystemRoot%\System32\SystemToolbar.dll (AdClicker-EJ)
  • %SystemRoot%\System32\setie.txt (AdClicker-EJ tasks list)
  • %SystemRoot%\System32\Update.txt (AdClicker-EJ update list)

Presence of one or more of the following Windows Registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ HelperService.IEMax_Toolbar_Helper
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ SystemToolbar.IEMax_Toolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\{9E1E1371-9D8F-4421-81B9-F8D2E1773A59}
  • HKEY_LOCAL_MACHINE\SOFTWARE\IEMax_Toolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B2455FD-3669-4555-8DF8-69FD5BC846F8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1E1371-9D8F-4421-81B9-F8D2E1773A59}

Outgoing HTTP connections bound for the following domains:

  • www.475[hidden]00.com
  • hacker.ia[hidden]se.com


Method of Infection

This trojan can be installed by visiting a malicious web page hosting JS/Exploit-HelpXSite which installs AdClicker-EJ.dr onto the user's system with no user interaction. It is recommended that users disable active scripting in Internet Explorer.

Alternatively, they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Adware.Win32.Delf.g (Kaspersky)
  • Trojan.IEmax (Symantec)

Characteristics

Characteristics -

Variants of this trojans are designed to connect to the author's designated websites and redirect or pop-up banner advertisements. This is designed to make the trojan author money from a "click per view" scheme.

Silent Installation

Variants of this trojan are known to be installed via browser exploits such as JS/Exploit-HelpXSite requiring little or no user interaction. It utilizes a vulnerability in Internet Explorer that will download and execute the AdClicker-EJ.dr trojan.

Details of the JS/Exploit-HelpXSite trojan are availability at:

Dynamic Tasks

Upon installation and execution, AdClicker-EJ communicates with the author's website for updates and instructions. It may perform the following tasks upon command:

  • Install updates or new trojans
  • Reconfigure the browser start page
  • Redirect browser URLs to advertising websites based on typed-in keywords
  • Pop-up banner advertisements

At the time of writing, some of the advertising sites used by this trojan are:

  • www.9[hidden]qq.com
  • [hidden].265.com
  • [hidden].3721.com
  • sex.happy[hidden].com
  • sms.se[hidden]hu.com
  • www.ok[hidden]9.com
  • www.x9[hidden]x.com
  • film.15[hidden]dy.com

 

Symptoms

Symptoms -

Presence of one or more of the following file(s):

  • %SystemRoot%\System32\FileUpdate.exe (AdClicker-EJ)
  • %SystemRoot%\System32\HelperService.dll (AdClicker-EJ)
  • %SystemRoot%\System32\PopService.exe (AdClicker-EJ)
  • %SystemRoot%\System32\SystemToolbar.dll (AdClicker-EJ)
  • %SystemRoot%\System32\setie.txt (AdClicker-EJ tasks list)
  • %SystemRoot%\System32\Update.txt (AdClicker-EJ update list)

Presence of one or more of the following Windows Registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ HelperService.IEMax_Toolbar_Helper
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ SystemToolbar.IEMax_Toolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\{9E1E1371-9D8F-4421-81B9-F8D2E1773A59}
  • HKEY_LOCAL_MACHINE\SOFTWARE\IEMax_Toolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B2455FD-3669-4555-8DF8-69FD5BC846F8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E1E1371-9D8F-4421-81B9-F8D2E1773A59}

Outgoing HTTP connections bound for the following domains:

  • www.475[hidden]00.com
  • hacker.ia[hidden]se.com


Method of Infection

Method of Infection -

This trojan can be installed by visiting a malicious web page hosting JS/Exploit-HelpXSite which installs AdClicker-EJ.dr onto the user's system with no user interaction. It is recommended that users disable active scripting in Internet Explorer.

Alternatively, they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A