Hidden Trojan in This App !

Discussion in 'malware problems & news' started by Spanner intheWorks, Mar 27, 2005.

Thread Status:
Not open for further replies.
  1. sultan_emerr

    sultan_emerr Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    18
    Location:
    Tokyo, Japan
    Since it's a clicker and not a downloader, I would say it is not a real danger or of major concern, but is still not something you want on your pc. I doubt that the infection was in the program, but instead was installed at/by the download site. If you get those types of downloads from mainstram sites you probably won't have that problem:

    http://www.majorgeeks.com/search.php

    http://www.snapfiles.com/



     
    Last edited by a moderator: Mar 29, 2005
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Can't agree with you there Sultan. This is what Viruslist has to say about 'Clickers':- http://www.viruslist.com/en/viruses/encyclopedia?chapter=152540521#clickers

    Trojan Clickers
    This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).

    Clickers are used:

    1) To raise the hit-count of a specific site for advertising purposes
    2) To organize a DoS attack on a specified server or site
    3) To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans).

    It is (3) above that is the main concern of course, but I'm not too keen on the others either!

    Spanner, is that info from WinPatrol, 'Plus' members info, or is it generally available?
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    According to my observation....this is what happened in this case also.

    Once you are at the startupmechanic page and click on the start-up mechanic gif....it actually takes you to what appears to be a lop site. Since the download is not available @ the moment....or it has been removed....that's as far as my testing could go.

    download link view source code at startupmechanic.com site:

    Code:
    hxxp://[B]dw.com.com[/B]/redir?
    pid=10349821&merid=6244207&mfgid=6244207&ltype=
    dl_dlnow&[B]lop[/B]=link&edId=3&siteId=4&oId=
    3120-2086_4-10349821&ontId=2086_4&destUrl=
    hxxp://[b]www.download.com[/B]%2F3001-2086_4-10349821.html
    
     

    Attached Files:

  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Spanner, I wish I had something constructive to add to Bubba's excellent detective work, but I'm afraid I don't!

    It was good of you not to be suckered by this thing in the first place, I suspect most people would not have been so alert to the danger and would have ended up being redirected to a site where a juicy, spyware filled, forced download awaited them! Mind you, with your browser settings, you probably could have avoided that debacle in any case!
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Actually....strict browser settings....no matter the browser of choice....played no part in this download. The download itself....mechanic-2[2].2.exe....was flagged @ Jotti's as having Trojan.Clicker.VB.DN by Kav, Bitdefender and MKS-vir.

    So my advice to others is no different than what many other security minded individuals would say and that is that now-a-days downloaded files should be scanned before they are even executed....no matter the download source.
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I downloaded a copy (MD5 - 458E8CA2377563C3CEECCEC97219624) from PCWorld and installed it. TDS3, BOClean, F-Prot's monitor, and Outpost Pro are keeping quiet. PG so far only alerts on the execution of startupmechanic.exe. I do think their database needs some serious review...

    Nick
     

    Attached Files:

  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Still unable to get a copy from download.com (server busy error, try later...). Is the MD5 of your copy different?

    Nick
     
  8. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Spanner,

    I restored the image I made before I tried it. I saw no security issues. Its memory load was over 22Mb, which seemed excessive for what it does. It appears to scan your autostarts when you run it, and makes recommendations based on its database file (mine was dated December 2004). It also classified Process Guard and CursorXP as "useless" (besides classifying BOClean as a trojan). I tracked the install and saved the InCtrl5 report if you ever need it.

    Nick
     
Loading...
Thread Status:
Not open for further replies.