Home / malware TrojanClicker:Win32/Duso.A
First posted on 08 August 2012.
Source: MicrosoftAliases :
TrojanClicker:Win32/Duso.A is also known as TR/Zusy.3865.31 (Avira).
Explanation :
TrojanClicker:Win32/Duso.A is a trojan clicker that redirects webpages without your consent when using Internet Explorer.
Installation
TrojanClicker:Win32/Duso.A arrives on your computer as a program file (EXE), and may have been dropped by other malware. When first run, the malware runs itself using the "ChildProc" string as its command-line parameter to ensure it runs correctly.
It then creates an empty log file in the %TEMP% folder with the file name "01temp<today's date>.log" (for example, "01temp2012_07_18.log"). This empty log file serves as an infection marker on your computer.
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Temporary Files folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".
Payload
Connects to webpages without your consent
TrojanClicker:Win32/Duso.A monitors your Internet browsing behavior to check if you visit a website whose address contains any of the following strings:
- baidu
- discountperfumesupply.com
- imeido.com
If you do attempt to visit such a website, TrojanClicker:Win32/Duso.A redirects your web browser to a different website. It uses legitimate Internet search engine commands, such as the following, to find webpages to redirect to:
- baidu.com/s?wd=<hex strings>, for example, baidu.com/s?wd=%B7%DF%C5%AD%B5%C4%D0%A1%C4%F1%CA%D6%BB%FA%B0%E6
- bing.com/search?q=perfume
- google.com/search?q=perfume
- search.yahoo.com/search?p=perfume
- soso.com/q?w=<hex strings>
Alternatively, it may just open webpages from the following sites, possibly to increase visits to these sites, thus increasing their traffic-generated revenue:
- 5230youxi.com
- 5233ruanjian.com
- 5233youxi.com
- 52baoruan.combfxyz.com
- nuo7.com
- sb5th.com
- taohuala.com
- xazyx.com
- xxtxt.com
TrojanClicker:Win32/Duso.A may also use several fake user agents when accessing the webpages it redirects. It may do this to hide the type of browser you are using, which may be incompatible with some of the websites it redirects to.
Modifies browser settings
TrojanClicker:Win32/Duso.A creates the following registry entry to prevent you from installing Internet Explorer Language packs when redirected to websites whose language you do not have installed on your computer:
In subkey: HKCU\Software\Microsoft\Internet Explorer\International
Sets value: "W2KLpk"
With data: "dword:00000000"
Deletes cookies
Whenever TrojanClicker:Win32/Duso.A is run, it deletes any cookies located in the %COOKIES% folder that contain the following strings:
- baidu
- bing
- yahoo
- soso
Note: %COOKIES% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Cookies folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user name>\Cookies". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Microsoft\Windows\Temporary Internet Files".
TrojanClicker:Win32/Duso.A deletes these cookies to wipe your computer's "memory" of you having visited these websites before. This allows the malware to perform its site redirection payload without interference from any data that the websites saved about you when you visited them.
Additional information
This malware creates a Virtual Desktop named "newdsk01h" during execution, possibly to hide other redirected websites that it did not intend to redirect.
Analysis by Ric Robielos
Last update 08 August 2012
