Trojan-Clicker.Win32.GreatPage

Home Threats Trojan-Clicker Trojan-Clicker.Win32.GreatPage

Class	Trojan-Clicker
Platform	Win32
Description	Technical Details This Trojan will periodically load a designated web page in the Internet browser. It is a Windows PE EXE file. The executable file is 36 864 bytes in size. It is written in Visual C++. Payload Once launched, the Trojan copies itself to the Windows system directory as “winsvc32.exe”: %System%winsvc32.exe It then registers this file in the system registry: [HKCUSoftwareMicrosoftWindowsCurrentVersionRun] “winsvc32.exe” = “%System%winsvc32.exe” This ensures that the Trojan will be launched each time Windows is booted on the victim machine. Every 30 minutes, the Trojan will open http://www.greatpage.da.ru using the Windows command line. At the time of writing, no page was placed on this address. Removal instructions Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine). Delete the following file: %System%winsvc32.exe Delete the following system registry entry: [HKCUSoftwareMicrosoftWindowsCurrentVersionRun] “winsvc32.exe” = “%System%winsvc32.exe” Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Technical Details