Follow:

 

Trojan:Win32/Adclicker.AJ


Trojan:Win32/Adclicker.AJ is a Trojan that installs itself as a Browser Helper Object in order to redirect user web browsing to particular advertising or search sites.


What to do now

Manual removal is not recommended for this Trojan. To detect and remove this Trojan and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.windowsmarketplace.com/category.aspx?bcatid=3303.

Threat behavior

Trojan:Win32/Adclicker.AJ is a Trojan that installs itself as a Browser Helper Object in order to redirect user web browsing to particular advertising or search sites. It has been observed to arrive on the affected system as a part of an adware installation package, or by being dropped by another Trojan after a previous system compromise. 
 
Installation
Upon installation, it creates the following files:
 
  • <UserPath>\ActivationManager\ActivationManager.dll - a Dll component
  • <UserPath>\Uninstall.exe - an uninstaller
 
Where <UserPath> is the file path or directory chosen by the user; the default path is %Program Files%.
 
This Trojan installs itself as a BHO by adding the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{86A44EF7-78FC-4e18-A564-B18F806F7F56}                      
 
It also adds the following registry keys:
HKEY_CURRENT_USER\Software\ActivationManager                
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ActivationManager.ActivationManager                     
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86A44EF7-78FC-4e18-A564-B18F806F7F56}\InprocServer32\(Default) = "<UserPath>\ActivationManager\ActivationManager.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86A44EF7-78FC-4e18-A564-B18F806F7F56}            
 
Payload
Redirects Web Browsing
It may redirect the user's current webpage to advertising websites or other search engines. In the wild, this Trojan has been observed to redirect user's web browsing to the following domains:
my.begun.ru
promoforum.ru
seochase.com
mastertalk.ru
forum.searchengines.ru
searchengines.ru
armadaboard.com
umaxforum.com
crutop.nu
crutop.com
master-x.com
umaxlogin.com
rusawm.com
gof*ckyourself.com

Symptoms

System Changes
The following system changes may indicate the presence of Trojan:Win32/Adclicker.AJ:
  • The following files:
    <UserPath>\ActivationManager\ActivationManager.dll - a Dll component
    <UserPath>\Uninstall.exe - an uninstaller
    Where <UserPath> is the file path or directory chosen by the user; the default path is %Program Files%.
  • The following registry modifications:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{86A44EF7-78FC-4e18-A564-B18F806F7F56} HKEY_CURRENT_USER\Software\ActivationManager                
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ActivationManager.ActivationManager                     
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86A44EF7-78FC-4e18-A564-B18F806F7F56}\InprocServer32\(Default) = "<UserPath>\ActivationManager\ActivationManager.dll"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86A44EF7-78FC-4e18-A564-B18F806F7F56}  

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Dec 12, 2007
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • not-a-virus:AdWare.Win32.BHO.de (Kaspersky)
  • Adware.BHO-155 (Clam AV)