TROJ_ZCLICK.D

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

• %System%\{random filename 2}.exe
• %Application Data%\{random foldername}\{random filename}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops the following files:

• %Tasks%\Security Center Update - {number}.job

Autostart Technique

This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SecurityCenterServer{number}
ImagePath = "%System%\{random filename 2}.exe -service %Application Data%\{random foldername}\{random filename}.exe"

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random entry} = "%Application Data%\{random folder name}\{random filename}.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random entry} = "%Application Data%\{random folder name}\{random filename}.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\ELowcQ

HKEY_LOCAL_MACHINE\SOFTWARE\{random key}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SecurityCenterServer{number}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\{random key}
License = "444"

Download Routine

This spyware connects to the following URL(s) to download its configuration file:

• http://{BLOCKED}n-pl1.com/{uri}/{hash}
• http://{BLOCKED}-watr.biz/{uri}/{hash}
• http://{BLOCKED}r1.net/{uri}/{hash}

Information Theft

This spyware s configuration file contains the following information:

• Search URL (referrer url), e.g., http://{BLOCKED}nameall.com
• Update URL (new C&C), e.g., http://{BLOCKED}i.com, http://{BLOCKED}ferr.com
• Click URL (redirection url source), e.g., http://{BLOCKED}t.com/b/pkg/{random alphanumeric}
• Mutex Name
• Flash URL

NOTES:

It hooks the following APIs:

• PlaySoundA
• PlaySoundW
• WaveOutWrite
• MessageBoxA
• MessageBoxW
• MessageBoxExA
• MessageBoxExW
• MessageBoxIndirectA
• MessageBoxIndirectW
• RegCloseKey
• RegEnumKeyExA
• RegEnumKeyExW
• RegEnumValueA
• RegEnumValueW
• RegOpenKeyA
• RegOpenKeyW
• RegOpenKeyExA
• RegOpenKeyExW
• RegCreateKeyA
• RegCreateKeyW
• RegCreateKeyExA
• RegCreateKeyExW
• RegQueryInfoKeyA
• RegQueryInfoKeyW
• RegQueryValueExA
• RegQueryValueExW
• GetCursorInfo
• GetMessagePos
• GetCursorPos
• SetCursorPos
• GetMessageA
• GetMessageW
• PeekMessageA
• PeekMessageW

It displays a full screen window with loaded URLs. This window is focused when a hooked API is used. When this window is active, it performs various mouse movements and scrolling.