Follow:

You have been re-routed to the Trojan:Win32/Claretore write up because Trojan%3aWin32%2fClaretore has been renamed to Trojan:Win32/Claretore
 

Trojan:Win32/Claretore


Trojan:Win32/Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL.

Installation

Trojan:Win32/Claretore copies itself as the following hidden files:

  • %HOMEPATH%\<random string>-<random string>.exe
  • multiple files with the format %TEMP%\<random string>.tmp

It then modifies the following registry entry to ensure that its copy executes every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Windows Update Server"
With data: "%HOMEPATH%\<random string 1>-<random string 2>.exe"

It injects its .TMP copy as a .DLL file into every running process.

Payload

Intercepts browser communication

Trojan:Win32/Claretore hooks the following functions in mswsock.dll to intercept the browser's Internet communication:

  • WSPCloseSocket
  • WSPSend
  • WSPRecv

It can then replace links in intercepted .HTML files with attacker-supplied URLs. For example, a variant of Trojan:Win32/Claretore has been observed to replace references to the Google Analytics JavaScript google-analytics.com/ga.js with hardymaster999.com/ga.js, allowing attacker-specified code to execute. This may result in fake Google Analytics results and/or fake advertisement clicks.

Additional information

Trojan:Win32/Claretore creates a unique footprint of the operating system, and might report it to a remote server. This may be to include the affected computer in the count of malware installations.

Analysis by Stefan Sellmer


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modification:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Windows Update Server"

Prevention


Alert level: Severe
First detected by definition: 1.119.1367.0
Latest detected by definition: 1.175.1896.0 and higher
First detected on: Feb 05, 2012
This entry was first published on: Feb 28, 2012
This entry was updated on: Mar 05, 2012

This threat is also detected as:
  • Backdoor.Proxyier!i+umlEDL4eA (VirusBuster)
  • Trojan-Downloader.Win32.Claretore (Ikarus)
  • Backdoor.Win32.Proxyier.ain (Kaspersky)