Trojan.Click3.9613

Technical Information

Malicious functions:

Executes the following:

'<SYSTEM32>\DllHost.exe' /pid=0x6ac /log
'<SYSTEM32>\DllHost.exe' 0x860 <Virus name>.exe
'<SYSTEM32>\conhost.exe' --type=utility --channel="2784.6.1137241085\353936962" --lang=en-US --with-feature:enhanced-autofill --ignored=" --type=renderer " /prefetch:-645351001
'<SYSTEM32>\conhost.exe' --type=utility --channel="2784.8.1913142846\92671638" --lang=en-US --with-feature:enhanced-autofill --ignored=" --type=renderer " /prefetch:-645351001

Modifies file system :

Creates the following files:

%APPDATA%\Roaming\Opera Software\Opera Stable\39B.tmp
%HOMEPATH%\Downloads\20.jpg:Zone.Identifier
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1366.tmp
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\14D0.tmp
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1471.tmp
%TEMP%\etilqs_E127lpvVlSIMOiU
%HOMEPATH%\Downloads\B2FA.tmp
%HOMEPATH%\Downloads\BA4B.tmp
%HOMEPATH%\Downloads\en:Zone.Identifier
%TEMP%\etilqs_rtqOFlN5jRDlJjL
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\157E.tmp
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\MANIFEST-000002
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\000001.dbtmp
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\000002.dbtmp
%TEMP%\etilqs_9VpRTtkmzbRRsEy
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\LOG
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\16AA.tmp
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\162C.tmp
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\170A.tmp
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\MANIFEST-000001
%APPDATA%\Roaming\Microsoft\Windows\Recent\CustomDestinations\HG71B46B8094FFN9NITN.temp
<Auxiliary element>
%TEMP%\nsn407.tmp\Inetc.dll
%TEMP%\nsn407.tmp\nsProcess.dll
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIF7DGLM\iplookup[1].php
<LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEWNTWLX\RhijZbP[1]
%TEMP%\nsn407.tmp\i.rar
%TEMP%\nsn407.tmp\System.dll
%TEMP%\nsy3F7.tmp
%PROGRAM_FILES%\SetupInstall\Uninstall.exe
%TEMP%\nsn407.tmp\1.ico
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SetupInstall\uninst.lnk
%TEMP%\nsn407.tmp\3.ico
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\LOG
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\000002.dbtmp
%APPDATA%\Roaming\Opera Software\Opera Stable\History Provider Cache
%APPDATA%\Roaming\Opera Software\Opera Stable\6F26.tmp
%TEMP%\etilqs_N5QesjTbpvAow9A
%TEMP%\nsn407.tmp\ExecCmd.dll
%HOMEPATH%\Desktop\Intrenet Explorer.lnk
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\MANIFEST-000001
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\MANIFEST-000002
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\000001.dbtmp

Deletes the following files:

%TEMP%\nsn407.tmp\1.ico
%TEMP%\nsn407.tmp\3.ico
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT~RFa2cd9.TMP
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\MANIFEST-000001
%TEMP%\nsn407.tmp\nsProcess.dll
%TEMP%\nsn407.tmp\System.dll
%TEMP%\nsn407.tmp\ExecCmd.dll
%TEMP%\nsn407.tmp\Inetc.dll
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\16F9.tmp~RFa17a5.TMP
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1326.tmp~RFa141c.TMP
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1460.tmp~RFa1499.TMP
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT~RF82348.TMP
%APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\MANIFEST-000001
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\161B.tmp~RFa164d.TMP
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\169A.tmp~RFa16da.TMP
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\14B0.tmp~RFa1525.TMP
%APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\156D.tmp~RFa160f.TMP

Moves the following files:

from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\162C.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\161B.tmp
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\161B.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\161B.tmp~RFa164d.TMP
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\16AA.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\169A.tmp
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\14B0.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\14B0.tmp~RFa1525.TMP
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\157E.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\156D.tmp
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\156D.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\156D.tmp~RFa160f.TMP
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\169A.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\169A.tmp~RFa16da.TMP
from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\000001.dbtmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT
from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\000002.dbtmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT
from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension State\CURRENT~RFa2cd9.TMP
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\170A.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\16F9.tmp
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\16F9.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\16F9.tmp~RFa17a5.TMP
from %APPDATA%\Roaming\Microsoft\Windows\Recent\CustomDestinations\HG71B46B8094FFN9NITN.temp to %APPDATA%\Roaming\Microsoft\Windows\Recent\CustomDestinations\8548f632abe97aa3.customDestinations-ms
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\14D0.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\14B0.tmp
from %APPDATA%\Roaming\Opera Software\Opera Stable\6F26.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Preferences
from %HOMEPATH%\Downloads\B2FA.tmp to %HOMEPATH%\Downloads\en.opdownload
from %HOMEPATH%\Downloads\BA4B.tmp to %HOMEPATH%\Downloads\20.jpg.opdownload
from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\000001.dbtmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT
from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\000002.dbtmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT
from %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT to %APPDATA%\Roaming\Opera Software\Opera Stable\Extension Rules\CURRENT~RF82348.TMP
from %HOMEPATH%\Downloads\en.opdownload to %HOMEPATH%\Downloads\en
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1326.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1326.tmp~RFa141c.TMP
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1471.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1460.tmp
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1460.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1460.tmp~RFa1499.TMP
from %HOMEPATH%\Downloads\20.jpg.opdownload to %HOMEPATH%\Downloads\20.jpg
from %APPDATA%\Roaming\Opera Software\Opera Stable\39B.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Local State
from %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1366.tmp to %APPDATA%\Roaming\Opera Software\Opera Stable\Jump List Icons\1326.tmp

Network activity:

Connects to:

'bi##.#ikimedia.org':80
'i.##0.ru':80
'93.##8.134.11':80
'ap#.###sys.opera.com':443
'au######te.geo.opera.com':443
'www.go##le.ru':80
't.#n':80
'in#.###ol.sina.com.cn':80
'www.ic#.com':80
'si#####ck2.opera.com':80
'k.####hantea-tw.com':80

TCP:

HTTP GET requests:

bi##.#ikimedia.org/favicon/wikipedia.ico
i.##0.ru/2011/icons/rambler.ico
93.##8.134.11/favicon.ico
www.ic#.com/en
k.####hantea-tw.com/<Auxiliary name>.exe/20.jpg
t.#n/RhijZbP
in#.###ol.sina.com.cn/iplookup/iplookup.php
si#####ck2.opera.com/?ho###############################################
www.go##le.ru/favicon.ico
si#####ck2.opera.com/?ho#######################################################

UDP:

DNS ASK sl####i.yandex.ru
DNS ASK bi##.#ikimedia.org
DNS ASK i.##0.ru
DNS ASK ap#.###sys.opera.com
DNS ASK dn#.##ftncsi.com
DNS ASK au######te.geo.opera.com
DNS ASK www.go##le.ru
DNS ASK www.google.com
DNS ASK t.#n
DNS ASK in#.###ol.sina.com.cn
DNS ASK si#####ck2.opera.com
DNS ASK k.####hantea-tw.com
DNS ASK www.ic#.com

Miscellaneous:

Searches for the following windows:

ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'Opera_MessageWindow' WindowName: '%APPDATA%\Roaming\Opera Software\Opera Stable'

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial