| Malware name | Trojan.Clicker.Agent.TP | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | FFFB9DBD722CA1A1805EF38FD89A0AF7 | | Static file | no | | Filesize | 69,120 Bytes | Alias names
(also known as) | | Sophos | Troj/Slupim-Gen | | McAfee | Generic Downloader.z | | CA ETrust | Win32/SillyDl.DZC |
| | Side effects | - Downloads a malicious file
- Drops a malicious file
- Registry modification
| | Propagation | No own spreading routine |
|
Description:
Files
The following file is created:
– %SYSDIR%\crypts.dll Further investigation pointed out that this file is malware, too. Detected as: Trojan.Dldr.Ag.29696.A
It tries to download a file:
– The location is the following:
• http://www.deborah2.biz/**********54.exe
Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Trojan.Agent.120832.C
Registry
The following registry key is added:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
crypt]
• "DLLName"="crypts.dll"
• "Impersonate"=dword:00000001
• "Asynchronous"=dword:00000001
• "StartShell"="Run"
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
