Home / malware TrojanClicker:Win32/Yabector.B
First posted on 03 December 2009.
Source: SecurityHomeAliases :
There are no other names known for TrojanClicker:Win32/Yabector.B.
Explanation :
TrojanClicker:Win32/Yabector.B is a program that notifies a web server of its presence without user consent. It may be bundled with an installation program as a file "eBayShortcuts.exe".
Top
TrojanClicker:Win32/Yabector.B is a program that notifies a web server of its presence without user consent. It may be bundled with an installation program as a file with the file name "eBayShortcuts.exe". Payload Notifies remote web serverWhen run, the installed component checks for the file "%APPDATA%\Desktopicon\config.ini" and creates it if it does not exist. It creates a section within the configuration data file named "[Shortcut]" with content as in the following example: [Shortcut]<LocaleString>=<number of times this program has been run> The component then starts a Web browser instance (Internet Explorer) and connects to the domain "adon-demand.de" and sends the above content as a string, as in the following example: adon-demand.de/<path>/?s=<LocaleString>&c=<runcount> Upon visiting the Web site, the user is then redirected to the online auctioning site "ebay.com". Creates shortcutTrojanClicker:Win32/Yabector.B may also install a shortcut called "eBay.lnk" on a user's desktop. This shortcut links to the page on the "adon-demand.de" and supplies one of 3 possible parameters.
Analysis by Dan KurcLast update 03 December 2009
