Threat behavior
TrojanClicker:Win32/VB.GE is a trojan that continuously contacts a remote website that pushes pay-per-click advertisements in order to gain revenue. The trojan is also capable of downloading an updated copy of itself to the affected machine.
Installation
TrojanClicker:Win32/VB.GE creates multiple copies of itself on an affected machine. When executed, it drops the following files:
%windir%\Fonts\cooecp.tlb - copy of itself
%windir%\Fonts\logcde.dll - copy of itself
%windir%\Fonts\services.exe - Trojan:Win32/Malagent
%windir%\Fonts\windef.dll - copy of itself
%windir%\Fonts\windef.Log - copy of itself
%windir%\Fonts\winpaged.ocx - copy of itself
%windir%\system32\msbzaml.exe - copy of itself
%windir%\system32\msfcysny.exe - copy of itself
%windir%\system32\msgrls.exe - copy of itself
%windir%\system32\msoesj.exe - copy of itself
%windir%\system32\msopro.exe - copy of itself
%windir%\system32\msplprwg.exe - copy of itself
%windir%\system32\msrocnws.exe - copy of itself
%windir%\system32\msvbxzn.exe - copy of itself
%windir%\system32\MSWINSCK.OCX - clean file; a UPX-packed version of a clean MSWINSCK.OCX.
It also makes a large number of registry modifications, including adding the following entries:
HKCR\csfile
HKCR\csfile\DefaultIcon
HKCR\csfile\DefaultIcon\(Default)= "%1"
HKCR\csfile\shell
HKCR\csfile\shell\open
HKCR\csfile\shell\open\command
HKCR\csfile\shell\open\command\(Default) = "C:\WINDOWS\system32\msbzaml.exe "%1" %*"
HKCU\Software\Microsoft\Internet Explorer\Main\Use FormSuggest ="yes"
HKCU\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"
HKCU\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = "C:\WINDOWS\system32\msvbxzn.exe"
HKLM\SOFTWARE\Classes\csfile
HKLM\SOFTWARE\Classes\csfile\DefaultIcon
HKLM\SOFTWARE\Classes\csfile\DefaultIcon\(Default) = "%1"
HKLM\SOFTWARE\Classes\csfile\shell
HKLM\SOFTWARE\Classes\csfile\shell\open
HKLM\SOFTWARE\Classes\csfile\shell\open\command
HKLM\SOFTWARE\Classes\csfile\shell\open\command\(Default) = "C:\WINDOWS\system32\msbzaml.exe "%1" %*"
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "yes"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS\ CheckedValue = dword:00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\exec = "C:\WINDOWS\system32\msplprwg.exe"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ DoNotAllowExceptions = dword:00000000
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\fonts\services.exe = "C:\WINDOWS\fonts\services.exe:*:Enabled:services.exe"
It makes the following modifications to these entries:
HKCR\.bat\(Default) = "csfile"
HKCR\.com\(Default) = "csfile"
HKCR\.exe\(Default) = "csfile"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load = "C:\WINDOWS\system32\msrocnws.exe"
HKLM\SOFTWARE\Classes\.bat\(Default) = "csfile"
HKLM\SOFTWARE\Classes\.com\(Default) = "csfile"
HKLM\SOFTWARE\Classes\.exe\(Default) = "csfile"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue = dword:00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto = "0"
Payload
Contacts remote host/Displays advertisements
TrojanClicker:Win32/VB.GE contacts "xz.ub9.net", a web server that in turn pushes advertisements and updates onto the affected machine.
Analysis by Jireh Sanico
Prevention
