Adware:W32/ClickPotato.A
Summary
This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.
Additional Details
ClickPotato is an adware program that will display pop-up advertisements based on the user's browsing activities or habits. It is distributed by Pinball Corporation via its free online streaming video.
The adware components are bundled with open source software, e.g., VLC media player and Xvid codec.
Upon execution, the adware attempts to connect to the following websites:.
The adware components are bundled with open source software, e.g., VLC media player and Xvid codec.
Upon execution, the adware attempts to connect to the following websites:.
- hxxp://tei.clickpotato.tv
- hxxp://cfgi.clickpotato.tv
- hxxp://softparade.freelandmedia.com
Worm:ACAD/Kenilfe.A
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
For more general information on disinfection, please see Removal Instructions.
Additional Details
The worm is a malicious AutoCAD program that propagates via removable drives. It also attempts to download Visual Basic Scripts from remote servers, if certain conditions are met.
Installation
During installation, the malware creates the following registry entries:
It then creates copies of itself in the following locations:
Where %SHXN% is the same as the SHXN value found in the registry entry (above).
It also creates the following files:
Where %TMN% is also the same as the TMN value found in the registry entry.
It enables the Windows Scripting Host by creating the following registry entry:
Then deletes the registry key:
It also deletes the following files:
Payload
Once installed, Kenilfe downloads and executes Visual Basic Scripts based on the following conditons:
Example: if the IP address of updatebd.8800.org is 221.239.103.104, both Visual Basic Scripts will be downloaded and executed.
These conditions are specified in the CXBB and GXBZ registry, respectively.
Propagation
The malware enumerates all folders in all removable drives. If it finds the file acad.fas, it replaces the file with a copy of
Alternatively, if the folder contains a drawing (.dwg) file, it will create the file acad.fas (which is really a copy of isomianyi.shx).
It then creates a file named pagefile in the same drive location, to mark that it is done infected the drive.
During the enumeration process, the malware also renames the following files to append a "_bak" in their filenames:
During installation, the malware creates the following registry entries:
- HKEY_CURRENT_USER\Software\KenFiles\settings
TMN = %Random Name% or "Temp"
TMNL = %Random Name% or "TMNL"
SHXN = %Random Name% or "isoshfr"
CXBB = 102
GXBZ = 103
pth0 = %IP Address of updatebd.8800.org% (or "221223921023103" if cannot ping the host)
pth3 = %Current Date%
pth4 = %Current Date%
pth5 = %Current Date% basepth = %User Support Folder%
fontpth = %AutoCAD Fonts Folder%
- %Folder of Current Drawing%\acad.fas
- %User Support Folder%\acad.fas
- %AutoCAD Fonts Folder%\%SHXN%.shx
It also creates the following files:
- %Windows Folder%\DivX.fin - possibly some sort of a infection marker
- %Windows Folder%\system32\%TMN%.cmd - contains commands that will create copies of the malware (same as those mentioned earlier)
It enables the Windows Scripting Host by creating the following registry entry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings Enabled = 1
Then deletes the registry key:
- "HKEY_CURRENT_USER\Software\FileKen\settings"
- isohztxt.shx
- acad.fas1
- logo.gif
- isomianyi.shx
Payload
Once installed, Kenilfe downloads and executes Visual Basic Scripts based on the following conditons:
- http://www.cadgs.com/[...]/gxcx.[...] - if the 3rd octect of the IP address of updatebd.8800.org > 102
- http://www.cadgs.com/[...]/gxmz.[...] - if the 4th octect of the IP address of updatebd.8800.org > 103
These conditions are specified in the CXBB and GXBZ registry, respectively.
Propagation
The malware enumerates all folders in all removable drives. If it finds the file acad.fas, it replaces the file with a copy of
- %AutoCAD Fonts Folder%\isomianyi.shx.
It then creates a file named pagefile in the same drive location, to mark that it is done infected the drive.
During the enumeration process, the malware also renames the following files to append a "_bak" in their filenames:
- acad.lsp
- acad.sys
- acad.vlx
- acadapp.lsp
- acadappp.lsp
- acadapq.lsp
- acadiso.lsp
- acadsmu.fas
- dwgrun.bat
- isohztxt.shx
- lcm.fas
- winfas.ini
Trojan-Dropper:OSX/Revir.A
Summary
Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.
Disinfection
Automatic
Allow F-Secure Anti-Virus for Mac to remove the relevant files.
Allow F-Secure Anti-Virus for Mac to remove the relevant files.
Additional Details
Trojan-Dropper:OSX/Revir.A drops a PDF file in the /tmp folder, then opens it to distract the user from noticing any other activity occuring:
Screenshot of a PDF file dropped by Trojan-Dropper:OSX/Revir.A.
The PDF file contains Chinese-language text related to political issues, which some users may find offensive.
Note that the PDF file in the screenshot above uses the name 'trojan.pdf'. The PDF file will actually use the same name as the trojan-dropper's binary file, which is usually saved to the /Users/%user%/Downloads or /User/%user%/Documents folders.
Activity
In the background, the malware will drop and execute the following downloader component (detected as Trojan-Downloader:OSX/Revir.A):
This file downloads and executes a file from the following remote location:
The downloaded file is also saved as:
As of this writing, the downloaded file is detected as Backdoor:OSX/Imuler.A. Our Browsing Protection blocks the download server hosting the file.
Screenshot of a PDF file dropped by Trojan-Dropper:OSX/Revir.A.Note that the PDF file in the screenshot above uses the name 'trojan.pdf'. The PDF file will actually use the same name as the trojan-dropper's binary file, which is usually saved to the /Users/%user%/Downloads or /User/%user%/Documents folders.
Activity
In the background, the malware will drop and execute the following downloader component (detected as Trojan-Downloader:OSX/Revir.A):
- /tmp/host
- h t t p://tarmu.narod.ru/[...]
- /tmp/updtdata
