Trojan-Clicker.Win32.VB.bg
From Total Malware Info
This Trojan is designed to open web pages in Internet Explorer without the user’s knowledge. It is a Windows PE EXE file. The file is 11,890 bytes in size. It is packed using UPX. The unpacked file is approximately 34KB in size. This Trojan is written in Visual Basic.
Installation
Once launched, the Trojan copies its body to the Windows system directory as "%md%.exe" (%md% is replaced by a random selection of numbers and capital Latin letters e.g."DC8RP" or "P5NS7AHA"):
%System%\%rnd%.exe
Payload
The Trojan creates the following registry keys:
[HKCR\HTTP\shell\open\command] "(default)" = "\"%System%\%rnd%.exe\" -nohome"
[HKCU\Software\VB and VBA Program Settings\KExplorer\Settings] "Command" = "\"%\Program Files%\\Internet Explorer\\iexplore.exe\" -nohome" "Installed" = "1"
[HKCR\HTTP\shell\open\ddeexec\Application] "(default)" = "KExplorer"
The Trojan then will open the following page in an Internet Explorer pop-up window:
http://te***.es/personal9/f6p16a/index2.html
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
-
Delete the file created by the Trojan:
%System%\%rnd%.exe
-
Delete the following system registry keys: (see What is a system registry and how do I use it for details on how to edit the registry).
[HKCR\HTTP\shell\open\command] "(default)" = "\"%System%\%rnd%.exe\" -nohome"
[HKCU\Software\VB and VBA Program Settings\KExplorer\Settings] "Command" = "\"%\Program Files%\\Internet Explorer\\iexplore.exe\" -nohome" "Installed" = "1"
[HKCR\HTTP\shell\open\ddeexec\Application] "(default)" = "KExplorer"
