Home / malware TrojanClicker:Win64/Fleercivet.B
First posted on 28 November 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanClicker:Win64/Fleercivet.B.
Explanation :
Threat behavior
Installation
This threat drops a copy of itself as:
- %APPDATA%\frameworkupdate7\chromeupdate.exe
It creates the following file:
\@system.temp
It modifies the following registry entry so it runs itself each time you start your PC:
In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "ChromeUpdate"
With data: "%APPDATA%\frameworkupdate7\chromeupdate.exe"
Payload
Steals information about your PC
We have seen this threat connect to a remote host, www.telize.com using port 80, to steal information about your PC, including:Connects to a remote host
- Your IP address
- The country or geographical location of your PC
- Your ASN (autonomous system number), which may indicate your Internet service provider
We have also seen the threat connect to seastarnew.com/image/tools1.ico using port 80.
Malware can connect to a remote host to:
- Check for an Internet connection.
- Download and run files (including updates or other malware).
- Report a new infection to its author.
- Receive configuration or other data.
- Receive instructions from a malicious hacker.
- Search for your PC location.
- Upload information taken from your PC.
- Validate a digital certificate.
Additional information
This threat can create a mutex on your PC. For example:
- _HSJ909NJJNJ90203_
Analysis by James Patrick Dee Symptoms
The following can indicate that you have this threat on your PC:
- You see these files:
- %APPDATA%\frameworkupdate7\chromeupdate.exe
- You see a mutex such as:
- _HSJ909NJJNJ90203_
Last update 28 November 2014
