Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs / Trojan Clickers

Trojan-Clicker.Win32.Delf.x

Other versions: .cl, .r

Aliases
Trojan-Clicker.Win32.Delf.x (Kaspersky Lab) is also known as: TrojanClicker.Win32.Delf.x (Kaspersky Lab), Lolaweb (McAfee),   Trojan.Click.64 (Doctor Web),   Troj/Lolaweb-D (Sophos),   TrojanClicker:Win32/Delf.X (RAV),   TROJ_DELF.DA (Trend Micro),   TR/Click.Delf.X (H+BEDV),   Win32:Trojan-gen. (ALWIL),   Clicker.AD (Grisoft),   Trojan.Clicker.Delf.X (SOFTWIN),   Trojan.Lolaweb (ClamAV),   Trj/Delf.U (Panda),   Win32/TrojanClicker.Delf.X (Eset)
Description added Feb 19 2007
Behavior TrojanClicker

Technical details

This Trojan is a Windows PE EXE file. It is 12,288 bytes in size. It is packed using UPX. The unpacked file is approximately 30KB in size.

Installation

When launched, the Trojan copies its executable file to the Windows root directory: 

%WinDir%\winh.exe

The Trojan also extracts the following files from its body:

%WinDir%\system.html
%WinDir%\sysh.hta

In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Winhost" = "%WinDir%\winh.exe"
Payload

The Trojan scans the system for Windows containing the string ‘Microsoft Internet Explorer’. If it finds such windows, it will search their titles for the following strings:

  • amateur
  • anal
  • anime
  • ass
  • babe
  • barely legal
  • bbw
  • bdsm
  • beach
  • beauty
  • bigcocks
  • bigtits
  • bikini
  • bimbo
  • bitch
  • bizarre
  • blowjob
  • bondage
  • boobs
  • booty
  • busty
  • porno
  • closeup
  • cock
  • couple
  • cum
  • deepthroat
  • dildo
  • doggystyle
  • domination
  • extreme
  • facial
  • femdom
  • fetish
  • fisting
  • fucking
  • gangbang
  • sex
  • handjob
  • hardcore
  • hentai
  • hiddencam
  • hugecocks
  • innocent
  • ladyboy
  • lesbian
  • masturbating
  • messyfacials
  • monstercock
  • nympho
  • outdoor
  • pantyhose
  • parksex
  • penis
  • pissing
  • pornstar
  • pornstars
  • shemale
  • slave
  • spanked
  • sperm
  • striptease
  • sucking
  • teen
  • tiny
  • tinytits
  • tits
  • tittyfuck
  • topless
  • tranny
  • upskirt
  • vibrator
  • virgin
  • lolita

If the Trojan finds one of the strings listed above, it launches the following process: mshta.exe %WinDir%\sysh.hta.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the files created by the Trojan: 
    %WinDir%\system.html
%WinDir%\sysh.hta
%WinDir%\winh.exe
  4. Delete the following system registry key parameter:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Winhost" = "%WinDir%\winh.exe"
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com