SOPICLICK
Microsoft: Refpron; Symantec: Sopiclick; McAfee: Refpron, Sopiclick; Sunbelt: Refpron, Sopiclick; Authentium: Koblu; Fortinet: Koblu; Fprot: Koblu; Ikarus: Refpron, Koblu; Eset: Refpron; Panda: Refpron
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
The SOPICLICK malware family arrives onto systems via the Internet. Its notable routines involve copying the legitimate file, %System%\urlmon.dll and saves it as %User Temp%\x1c{numbers}.dll. SOPICLICK is used a clicker in pay-per-click online advertisements.
This Trojan connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.
TECHNICAL DETAILS
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WBEM
UpdateNew = "{hex values}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WBEM
uid = "unknow"
Download Routine
This Trojan connects to the following malicious URLs:
- {BLOCKED}3.{BLOCKED}5.105.218
- {BLOCKED}4.{BLOCKED}3.126.2.4
- {BLOCKED}4.{BLOCKED}3.72.250
- {BLOCKED}4.{BLOCKED}7.57.154
- {BLOCKED}4.{BLOCKED}0.176.66
- {BLOCKED}4.{BLOCKED}1.44.5
- {BLOCKED}4.{BLOCKED}1.44.8
- {BLOCKED}4.{BLOCKED}9.86.26
- {BLOCKED}6.{BLOCKED}6.221.101
- {BLOCKED}4.{BLOCKED}4.201.210
- {BLOCKED}4.{BLOCKED}5.37.210
- {BLOCKED}kq.com
- {BLOCKED}bits.com
- {BLOCKED}vity.com
- {BLOCKED}vest.com