We have seen TrojanClicker:Win32/Clikug.A installed by other malware and unwanted software. It can also be downloaded by software bundlers that install clean applications.
The image below shows an example of a software bundler that installs Clikug (also known as GigaClicks) at the same time as other applications. We detect this installer as TrojanDownloader:Win32/Clikug.A:
TrojanClicker:Win32/Clikug.A copies itself to the following locations:
The trojan creates a scheduled task so that is runs regularly:
A significant amount of disk space is also used by TrojanClicker:Win32/Clikug.A in the following directory. It is used to hold temporary Chrome profiles and extensions used for the crawling:
An uninstall entry is added under the display name “GigaClicks Crawler” with no developer information. Running the uninstaller might remove the threat from your PC:
This threat can use your PC for click fraud.
We have seen it using as much as 1 GB of bandwidth per hour - this can severely impact the speed of your Internet connection as well as lead to excess data usage charges from your Internet service provider.
Analysis by Geoff McDonald
The following could indicate that you have this threat on your PC:
- Slow Internet speeds when you browse websites or play games
- Poor PC performance
- Unusually high bandwidth usage reported or charged to you by your Internet Service Provider (ISP).
- You have these files:
- You have the following uninstall entry: