Trojan-Clicker.Win32.GreatPage

Class Trojan-Clicker
Platform Win32
Description

Technical Details

This Trojan will periodically load a designated web page in the Internet browser. It is a Windows PE EXE file. The executable file is 36 864 bytes in size. It is written in Visual C++.

Payload

Once launched, the Trojan copies itself to the Windows system directory as “winsvc32.exe”:

%System%winsvc32.exe

It then registers this file in the system registry:

[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
“winsvc32.exe” = “%System%winsvc32.exe”

This ensures that the Trojan will be launched each time Windows is booted on the victim machine.

Every 30 minutes, the Trojan will open http://www.greatpage.da.ru using the Windows command line.

At the time of writing, no page was placed on this address.

Removal instructions

  1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  2. Delete the following file:
    %System%winsvc32.exe
  3. Delete the following system registry entry:
    [HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
    “winsvc32.exe” = “%System%winsvc32.exe”
  4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).