Content

AdClicker-ER

Type
Trojan
SubType
Win32
Discovery Date
10/30/2006
Length
Varies
Minimum DAT
4884 (10/30/2006)
Updated DAT
5715 (08/20/2009)
Minimum Engine
5.1.00
Description Added
10/30/2006
Description Modified
02/15/2007 10:53 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Variants of this trojans are designed to connect to the author's designated websites and redirect or pop-up banner advertisements. This is designed to make the trojan author money from a "click per view" scheme.

Silent Execution

This trojan installs a randomly named .SYS file and injects a hidden thread into the running Windows Explorer process (Explorer.exe). Network connections can then be spoofed to be coming from Explorer.exe. It contacts the following advertising site(s) silently without prompting:

  • {blocked}.sodui.com/{blocked}/{blocked}.php

Dynamic Downloads

It may also download a list of files to install further updates, PUPs or malware from:

  • {hidden}.newweb.com.cn

 

 

Symptoms

Presence of one or more of the following file(s) and folder(s):

  • %Windir%\System32\winup (folder)
  • %Windir%\System32\{XXXXYY}.sys (AdClicker-ER)
  • %Windir%\System32\{XXXXYY}.dll (AdClicker-ER)

(Where XXXX are random alphabets from A-Z, and YY is a random number)

Presence of one or more of the following Windows Registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SSearch
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXYY}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{XXXXXXYY}

(Where {XXXXXXYY} is the random filename installed by AdClicker-ER)

Unexpected HTTP connections periodically made by Windows Explorer (Explorer.exe) to the following IP address(es):

  • 219.232.xx.xx

 

 

Method of Infection

They may be downloaded by other viruses and/or Trojans to be installed on the user's system. Many of these additionally can be mass spammed by the author to entice people into double-clicking on them.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Variants of this trojans are designed to connect to the author's designated websites and redirect or pop-up banner advertisements. This is designed to make the trojan author money from a "click per view" scheme.

 

Characteristics

Characteristics -

Variants of this trojans are designed to connect to the author's designated websites and redirect or pop-up banner advertisements. This is designed to make the trojan author money from a "click per view" scheme.

Silent Execution

This trojan installs a randomly named .SYS file and injects a hidden thread into the running Windows Explorer process (Explorer.exe). Network connections can then be spoofed to be coming from Explorer.exe. It contacts the following advertising site(s) silently without prompting:

  • {blocked}.sodui.com/{blocked}/{blocked}.php

Dynamic Downloads

It may also download a list of files to install further updates, PUPs or malware from:

  • {hidden}.newweb.com.cn

 

 

Symptoms

Symptoms -

Presence of one or more of the following file(s) and folder(s):

  • %Windir%\System32\winup (folder)
  • %Windir%\System32\{XXXXYY}.sys (AdClicker-ER)
  • %Windir%\System32\{XXXXYY}.dll (AdClicker-ER)

(Where XXXX are random alphabets from A-Z, and YY is a random number)

Presence of one or more of the following Windows Registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SSearch
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXYY}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{XXXXXXYY}

(Where {XXXXXXYY} is the random filename installed by AdClicker-ER)

Unexpected HTTP connections periodically made by Windows Explorer (Explorer.exe) to the following IP address(es):

  • 219.232.xx.xx

 

 

Method of Infection

Method of Infection -

They may be downloaded by other viruses and/or Trojans to be installed on the user's system. Many of these additionally can be mass spammed by the author to entice people into double-clicking on them.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A