Follow:

 

Trojan:Win32/C2Lop.gen!K


Trojan:Win32/C2Lop.gen!K is a generic detection for a family of trojans that modify web browser settings, add browser bookmarks, and deliver pop-up advertisements. It is a member of the Trojan:Win32/C2Lop malware family.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Trojan:Win32/C2Lop.gen!K is a generic detection for a family of trojans that modify web browser settings, add browser bookmarks, and deliver pop-up advertisements. It is a member of the Trojan:Win32/C2Lop malware family.
Installation
Trojan:Win32/C2Lop.gen!K may arrive on a system as a file that is bundled with other software. When run, it launches Internet Explorer and injects its malicious code into the IE process.
 
As part of its malicious routine, it may modify the system registry to include the following:
 
Adds value: "<random string 1>"
With data: "<random data>"
To subkey: HKCU\Software\<random string 2>
 
where <random string 1> and <random string 2> are strings or phrases composed of some of the following strings:
 
base
bash
bat
beep
bend
bias
bib
bike
bin
bind
bird
bits
blah
bleh
blue
body
bold
bolt
bone
boob
book
bore
bows
browse
build
burn
byte
cake
camp
cash
cast
cdrom
chic
chin
city
clock
close
coal
comp
cool
copy
corn
creative
curb
dale
dart
dash
data
date
dead
deaf
debug
default
defy
delete
dent
does
dog
download
draw
drive
drv
dumb
dupe
dvd
each
eggs
else
enc
eq
error
exit
extra
face
fast
file
film
find
first
five
flag
flap
flaw
for
ford
fork
four
frag
free
funk
global
glue
gpl
gram
great
grey
grid
grim
heart
heck
help
hide
hold
hole
hope
htm
idle
idol
info
inside
inter
internet
intra
iso
itch
joy
jugs
jump
junk
keep
kind
knob
less
license
lies
link
list
lite
live
load
locks
log
logo
long
loud
love
mags
mail
manager
mapi
math
meal
media
meet
memo
meow
mess
meta
mfcd
mix
mode
more
move
mp3
mpeg
multi
name
new
noun
nurb
obj
okay
once
one
online
ooze
open
option
owns
part
peak
phone
pile
ping
plan
platform
play
plus
poke
poll
pop
proc
program
proxy
pure
rdr
readme
real
rect
ref
regs
remote
road
roam
rule
safe
save
scr
second
sect
seek
send
settings
setup
shim
show
sign
site
sixth
size
skip
slow
soap
soft
software
spam
start
stop
store
stupid
style
support
surf
team
test
that
the
third
this
thunk
tick
time
title
tons
tool
trans
tray
trust
two
type
up
upload
user
vc
vga
view
wait
warn
wave
way
web
win
window
wipe
wma
 
For example, a generated registry entry could be:
Value: "MANAGER ONCE"
Data: "ët..;ûk%î¿7@.­"
Subkey: HKCU\Software\web bows peakDumb
Payload
Downloads and executes arbitrary files
Win32/C2Lop.gen!K may connect to a remote web site to download and execute arbitrary files. The downloaded files are usually members of the TrojanDownloader:Win32/Swizzor family or other components of the Trojan:Win32/C2Lop family. Once the downloaded files are successfully installed, unwanted pop-ups and advertisements may be displayed on the system.
 
For example, a specific sample of Win32/C2Lop.gen!K attempts to connect to "nb.host192-168-1-2.com" via TCP port 80 and download files.
Analysis by Elda Dimakiling

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • Unwanted pop-ups and advertisements may be displayed.

Prevention


Alert level: Severe
First detected by definition: 1.61.1613.0
Latest detected by definition: 1.61.1613.0 and higher
First detected on: Jul 15, 2009
This entry was first published on: Aug 13, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases