Installation
This trojan can be downloaded and run automatically if you visit malicious websites.
It is usually downloaded with the file name flashplayer.exe with an icon like the following:
When run, the trojan displays the following message:
Payload
Downloads malware
The trojan connects to http://82.146.49.70/stats.php as a way of counting the number of machines it has infected.
It tries to download a malicious file from a SkyDrive account. The malware author can put any files in the SkyDrive account; we have seen the trojan attempt to download files related to the following families:
It uses the following format to create the URL from where it downloads the malicious file:
https://skydrive.live.com/download.aspx?cid=<RandomCharacters>&resid=<RandomCharacters>%<RandomNumbers>
The CID and RESID values are alphanumeric strings that are hardcoded in the original trojan. The CID refers to a SkyDrive account, and the RESID to a file or resource on that account.
The trojan drops itself as %ProgramData%\explorer.exe and modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Start WingMan Profiler"
With data: "%ProgramData%\explorer.exe"
The trojan drops the following file that it uses as a logon script to connect to the SkyDrive account and retrieve the file:
%APPDATA%\Roaming\flashplayer2.exe
It drops and runs a batch file which will delete the main file and the batch file itself. We have seen variants of Clodow using the file names winproc.bat and uecubrb.bat.
The trojan will then display the following message:
Additional information
Trojan:AutoIt/Clodow creates the mutex dldl. This could be an infection marker to prevent more than one copy of the threat running on your PC.
The trojan will run on both 32-bit and 64-bit versions of Windows, even though it displays the following message:
Analysis by Ferdinand Plazo
