We analyzed a Trojan Spy sample because it was interesting how it was spreading through the operating system and the way it sent out stolen information from the user. Right after execution the malware searches for .lnk files existing on the user’s desktop and in the special folders. It then follows the path of the executable to which the file points to and creates a copy of itself in the target directory, using the name of the original file. The original executable is then renamed to “click_%executable name%.exe”. Interesting, the Trojan does not delete the original files, it just renames them.
After the successful infection the malware is executed and starts the renamed executable. This means, the user will usually not notice that the target behind the lnk files is replaced. This is part of the strategy of the Trojan to remain undetected as long as possible.
Microsoft’s Internet Explorer is directly targeted for this action:
The Trojan does not modify registry keys or uses any other method of autorun features provided in the operating system because it’s not necessary due to the fact that the Trojan gets executed immediately when a shortcut is accessed by the user. The memory dump illustrates a list of web address parts which are monitored by the Trojan. In the monitoring process it searches for login forms and login scripts in PHP and ASP scripts.
Most of the targeted web sites are Chinese web sites such as
As well as global big named Internet sites such as
The Trojan itself is written in Visual Basic and is not packed or otherwise obfuscated in any way. Avira protects from this threat and detects it as TR/Spy.Clickpal.A.