Content

AdClicker-FC

Type
Trojan
SubType
Discovery Date
04/19/2007
Length
Varies
Minimum DAT
5013 (04/19/2007)
Updated DAT
5350 (07/30/2008)
Minimum Engine
4.4.00
Description Added
04/19/2007
Description Modified
09/26/2007 5:29 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

AdClicker-FC redirects links or entered URLs for certain domains. After installation, the BHO silently contacts nameservicedirect.com at the next launch of Internet Explorer to retrieve a list of domains which will be redirected. The BHO will then redirect any links selected or URLs entered using any of the included domains. In testing the target of the redirection was often to sites offering PUPs (such as Ultimate) or other "security" or system utility software of questionable quality/validity.  In addition to the domains in the list, Page Not Found (404) errors are also used as an opportunity to redirect to other sites while the BHO is present.

System Changes

Files Added

  • nsduo.dll (204 KB, MD5: 285040D888670F44271C6C420A50C461)
    Note: multiple versions of this Trojan exist with varying MD5 hashes. File name may also vary.
  • %WinDir%\rs.txt (17 KB, size may vary) - contains the list of domains to redirect

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
  • HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
  • HKEY_CLASSES_ROOT\MSVPS.MSVPSApp
  • HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  • HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
  • HKEY_CLASSES_ROOT\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}

Symptoms

  • Presence of the registry keys or files previously listed
  • Redirection of domains listed in rs.txt to sites other than expected
  • Redirection from 404 errors to unrelated sites while browsing
  • Background communication to nameservicedirect.com

Method of Infection

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

AdClicker-FC is a browser helper object (BHO) for Internet Explorer that retrieves a list of domains which it then redirects during browsing.

Characteristics

Characteristics -

AdClicker-FC redirects links or entered URLs for certain domains. After installation, the BHO silently contacts nameservicedirect.com at the next launch of Internet Explorer to retrieve a list of domains which will be redirected. The BHO will then redirect any links selected or URLs entered using any of the included domains. In testing the target of the redirection was often to sites offering PUPs (such as Ultimate) or other "security" or system utility software of questionable quality/validity.  In addition to the domains in the list, Page Not Found (404) errors are also used as an opportunity to redirect to other sites while the BHO is present.

System Changes

Files Added

  • nsduo.dll (204 KB, MD5: 285040D888670F44271C6C420A50C461)
    Note: multiple versions of this Trojan exist with varying MD5 hashes. File name may also vary.
  • %WinDir%\rs.txt (17 KB, size may vary) - contains the list of domains to redirect

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}
  • HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
  • HKEY_CLASSES_ROOT\MSVPS.MSVPSApp
  • HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
  • HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
  • HKEY_CLASSES_ROOT\CLSID\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}

Symptoms

Symptoms -

  • Presence of the registry keys or files previously listed
  • Redirection of domains listed in rs.txt to sites other than expected
  • Redirection from 404 errors to unrelated sites while browsing
  • Background communication to nameservicedirect.com

Method of Infection

Method of Infection -

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A