Trojan.Click2.58794

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKLM>\SOFTWARE\Classes\htb\shell\open\command] '' = 'IEXPLORE.EXE http://taobao.loliso.com/?wj'
[<HKLM>\SOFTWARE\Classes\.\shell\open\command] '' = 'rundll32.exe %WINDIR%\staticial\cmss.jyc,scanMiddle'
[<HKLM>\SOFTWARE\Classes\hpf\shell\open\command] '' = 'IEXPLORE.EXE http://www.piaofang.net/?wj'
[<HKLM>\SOFTWARE\Classes\hdh\shell\open\command] '' = 'IEXPLORE.EXE http://www.35yes.com/?wj'
[<HKLM>\SOFTWARE\Classes\hyx\shell\open\command] '' = 'IEXPLORE.EXE http://www.d91d.com/?wj'

Malicious functions:

To complicate detection of its presence in the operating system,

forces the system hide from view:

file extensions

Creates and executes the following:

'C:\BQ6035.exe'
'C:\05W93.exe'

Executes the following:

'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Start Menu\Internet Expleror.hdh" /e /c /r System
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Start Menu\Internet Expleror.hdh" /e /c /r Users
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Start Menu\Internet Expleror.hdh" /e /c /r "%USERNAME%
'<SYSTEM32>\cacls.exe' "\Internet Expleror.hdh" /e /c /r "Power Users"
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Start Menu\Internet Expleror.hdh" /e /c /G Everyone:r
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Start Menu\Internet Expleror.hdh" /e /c /r %USERNAME%s
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Start Menu\Internet Expleror.hdh" /e /c /r "Authenticated Users"
'<SYSTEM32>\rundll32.exe' %PROGRAM_FILES%\staticial\csrg.jpc,scanCook
'%PROGRAM_FILES%\Internet Explorer\IEXPLORE.EXE' http://dl.###link.cn:1287/CPAdown/vplay.php
'<SYSTEM32>\wscript.exe' "c:\oied.bak.vbs"
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Start Menu\Internet Expleror.hdh" /e /c /r "Power Users"
'<SYSTEM32>\ipconfig.exe' /all
'<SYSTEM32>\rundll32.exe' "%WINDIR%\staticial\cmss.jyc",scanMiddle
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Desktop\Internet Expleror.hdh" /e /c /r Users
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Desktop\Internet Expleror.hdh" /e /c /r "%USERNAME%
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Desktop\Internet Expleror.hdh" /e /c /r "Authenticated Users"
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Desktop\Internet Expleror.hdh" /e /c /G Everyone:r
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Desktop\Internet Expleror.hdh" /e /c /r %USERNAME%s
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Desktop\Internet Expleror.hdh" /e /c /r System
'<SYSTEM32>\cacls.exe' "%ALLUSERSPROFILE%\Desktop\Internet Expleror.hdh" /e /c /r "Power Users"
'<SYSTEM32>\cacls.exe' "\Internet Expleror.hdh" /e /c /r Users
'<SYSTEM32>\cacls.exe' "\Internet Expleror.hdh" /e /c /r "%USERNAME%
'<SYSTEM32>\cacls.exe' "\Internet Expleror.hdh" /e /c /r "Authenticated Users"
'<SYSTEM32>\cacls.exe' "\Internet Expleror.hdh" /e /c /G Everyone:r
'<SYSTEM32>\cacls.exe' "\Internet Expleror.hdh" /e /c /r %USERNAME%s
'<SYSTEM32>\cacls.exe' "\Internet Expleror.hdh" /e /c /r System