Home / malware TrojanClicker:Win32/Vbadult.A
First posted on 07 December 2009.
Source: SecurityHomeAliases :
TrojanClicker:Win32/Vbadult.A is also known as AdClicker-EG (McAfee), not-a-virus:Porn-Tool.Win32.Agent.pr (Kaspersky), Trojan.Hachilem (Symantec), ADW_ADCLICKER (Trend Micro).
Explanation :
TrojanClicker:Win32/Vbadult.A is a trojan that launches Internet Explorer to open sites containing adult content.
Top
TrojanClicker:Win32/Vbadult.A is a trojan that launches Internet Explorer to open sites containing adult content. InstallationIt may be distributed with file names such as "kiss-of-adult.exe", "lady-impact.exe", "adult-douga.exe" among others. The file icon may resemble a Windows Media file as a means to trick the computer user into executing it, as in the following example: When run, it drops a copy of itself and a batch script, both having the same random file name, to a randomly selected directory within the Windows system folder, as in the following examples: <system folder>\1031\qvmxpcboniplspfi.bat <system folder>\1031\qvmxpcboniplspfi.exe - detected as TrojanClicker:Win32/Vbadult.A
<system folder>\IME\PINTLGNT\gmOKelCAcqJPzwXF.bat <system folder>\IME\PINTLGNT\gmOKelCAcqJPzwXF.exe - detected as TrojanClicker:Win32/Vbadult.A Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The batch script is run and it executes the dropped trojan copy. Once executed, the trojan remains memory resident until a Windows restart. Payload Launches Internet ExplorerWhen the trojan is run, it launches Internet Explorer to sites containing adult content. The Web site domain differs among variants of the trojan.
Analysis by Patrick NolanLast update 07 December 2009
