Home / malware Trojan:Win32/Claretore
First posted on 06 March 2012.
Source: MicrosoftAliases :
Trojan:Win32/Claretore is also known as Backdoor.Proxyier!i+umlEDL4eA (VirusBuster), Trojan-Downloader.Win32.Claretore (Ikarus), Backdoor.Win32.Proxyier.ain (Kaspersky).
Explanation :
Trojan:Win32/Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL.
Top
Trojan:Win32/Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL.
Installation
Trojan:Win32/Claretore copies itself as the following hidden files:
- %HOMEPATH%\<random string>-<random string>.exe
- multiple files with the format %TEMP%\<random string>.tmp
It then modifies the following registry entry to ensure that its copy executes every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update Server"
With data: "%HOMEPATH%\<random string 1>-<random string 2>.exe"
It injects its .TMP copy as a .DLL file into every running process.
Payload
Intercepts browser communication
Trojan:Win32/Claretore hooks the following functions in mswsock.dll to intercept the browser's Internet communication:
- WSPCloseSocket
- WSPSend
- WSPRecv
It can then replace links in intercepted .HTML files with attacker-supplied URLs. For example, a variant of Trojan:Win32/Claretore has been observed to replace references to the Google Analytics JavaScript google-analytics.com/ga.js with hardymaster999.com/ga.js, allowing attacker-specified code to execute. This may result in fake Google Analytics results and/or fake advertisement clicks.
Additional information
Trojan:Win32/Claretore creates a unique footprint of the operating system, and might report it to a remote server. This may be to include the affected computer in the count of malware installations.
Analysis by Stefan Sellmer
Last update 06 March 2012
