Installation
These threats are typically downloaded directly from the Internet. Some of them can be downloaded by other malware.
They copy themselves to C:\Documents and Settings\<User Name>\%APPDATA%\Microsoft\Windows\IEUpdate\<RandomName.exe>.
We have seen them use the following file names:
-
Arp.exe
-
AuditPol.exe
-
Cacls.exe
-
DevicePairingWizard.exe
-
FlashPlayerApp.exe
-
Instnm.exe
-
Msconfig.exe
-
Msiexec.exe
-
Notepad.exe
-
RacAgent.exe
-
Sdbinst.exe
-
Verifier.exe
-
wowExec.exe
They add a shortcut to C:\Documents and Settings\<User Name>\<start menu>\Programs\<startup folder>\<RandomName.lnk>” so they can run each time you start your PC. The shortcut points to the dropped file in IEUpdate folder.
They can also change the following registry entry so they run each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "RandomName"
With data: “C:\Documents and settings\<User Name>\%APPDATA%\Microsoft\Windows\IEUpdate\RandomName.exe”
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "RandomName"
With data: “C:\Documents and settings\<User Name>\%APPDATA%\Microsoft\Windows\IEUpdate\RandomName.exe”
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "Run"
With data: “C:\Documents and settings\<User Name>\%APPDATA%\Microsoft\Windows\IEUpdate\RandomName.exe”
In subkey: HKCU\Software\Microsoft\Command Processor
Sets value: "AutoRun"
With data: “C:\Documents and settings\<User Name>\Application Data\Microsoft\Windows\IEUpdate\RandomName.exe”
They can add a registry entry to run the malicious file when the screen saver mode is active:
In subkey: HKCU\Control Panel\Desktop
Sets value: "SCRNSAVE.EXE"
With data: “C:\Documents and settings\<User Name>\Application Data\Microsoft\Windows\IEUpdate\RandomName.exe”
They can also add the following registry to hide the malicious file from your view:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: 0
Payload
Uses your PC for click fraud
These threats can connect to remote command and control servers (C&C) to get click fraud commands from a malicious hacker. We have seen it using the following servers:
-
146.185.220.23:8080
-
146.185.220.23:19077
-
195.20.141.72:8080
After receiving and decrypting the configuration file from C&C, the TrojanClicker:Win32/Ropest variant does the following malicious tasks in the background without your consent:
- Queries a fake search on some search engine.
- Finds the advertisements related to the search query on some targeted advertising networks.
- Performs click fraud.
Example:
Locks screen
Some TrojanClicker:Win32/Ropest variants also have a ransomware component. They can lock your PC and show a full-screen message, commonly called a "lock screen" asking you to pay money in exchange for unlocking your PC.
The following screenshot shows an example of a locked screen:
When this variant runs the lock screen component, it connects to the C&C to download other malware or to get instructions to perform click fraud command in the background.
Analysis by Duc Nguyen