Virus Profile: Adclicker-DF

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 8/22/2005
Date Added: 8/22/2005
Origin: Unknown
Length: N/A
Type: Trojan
Subtype: Adware
DAT Required: 4565
Removal Instructions
   
 
 
   

Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

Presence of aforementioned files and registry keys.

Methods of Infection

N/A This is not a virus or trojan.
   

Virus Characteristics

This Trojan lowers internet security settings, adds itself to firewall exclusion policies and downloads multiple adwares.

It adds itself to Add Remove Program with the names "Block-checker 1.0" and "System Process". If the user tries to uninstall "System Process", this Trojan attempts to download various adwares on the system. This is related to Block-Checker.com.

Upon installation the program it displays EULA. The privacy policy is located at

https://www.system-processes.com/liscense.php .

It is observed to contact the following sites apart from various other
adware sites that it downloads.

System Changes

Adds the following domains to the following key with the default value of 0x00000001, so that they are always allowed.

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\P3P\History\

  • tkqlhce.com
  • qksrv.net
  • linksynergy.com
  • kqzyfj.com
  • jdoqocy.com
  • fastclick.net
  • fastclick.com
  • dpbolvw.net
  • commission-junction.com
  • cc-dt.com
  • bfast.com
  • anrdoezrs.net

Files Added

  • %SystemDir%\navshext.dll (49 KB)
  • %SystemDir%\ccapp.exe (16 KB)
  • c:\program files\block checker\uninstall.exe (63 KB)
  • c:\program files\block checker\setup_finish.exe (16 KB)
  • c:\program files\block checker\setup.log (2 KB)
  • c:\program files\block checker\csrss.exe (28 KB)
  • c:\program files\block checker\block-checker.exe (48 KB)
  • c:\program files\block checker\block checker.exe (704 KB)
  • c:\documents and settings\all users\start menu\programs\block checker\block checker\block checker.lnk (1 KB)
  • c:\documents and settings\administrator\
    application data\microsoft\internet explorer\quick launch\block checker.lnk (1 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run\BlockChecker: "C:\Program Files\Block Checker\block-checker.exe
  • HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}\InProcServer32
    "ThreadingModel"="Apartment"
  • HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}\InProcServer32
    "(default)"="C:\WINDOWS\System32\navshext.dll"
  • HKEY_CLASSES_ROOT\CLSID\{C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB}
    "default"="System Process"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\SharedDLLs\C:\Program Files\Block Checker\block-checker.exe: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\System Process\ModId: "3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\System Process\Started: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\
    StandardProfile\AuthorizedApplications\List\%windir%\system32\ccapp.exe: "%windir%\system32\ccapp.exe:*:Enabled:System Process"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\SharedAccess\Parameters\FirewallPolicy\
    StandardProfile\AuthorizedApplications\List\%windir%\system32\ccapp.exe: "%windir%\system32\ccapp.exe:*:Enabled:System Process"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.system-processes.com:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Uninstall\Startup"UninstallString"
    ="C:\WINDOWS\System32\ccapp.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Uninstall\Startup"DisplayName"
    ="System Process"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion \Uninstall\Block Checker
    "UninstallString"=""C:\Program Files\Block Checker\uninstall.exe""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion \Uninstall\Block Checker
    "DisplayName"="Block Checker 1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\SharedDLLs "C:\Program Files\Block Checker\block-checker.exe"="1"
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
    "LastDate"=""
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\Yahoo
    "DaysToClear"="0"
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
    "LastDate"=""
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\MSN
    "DaysToClear"="0"
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL
    "LastDate"=""
  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\IMAdvertiser\AOL
    "DaysToClear"="0"
   
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95