Win32/TrojanClicker.Qupdate [Threat Name] go to Threat

Win32/TrojanClicker.Qupdate.AA [Threat Variant Name]

Category trojan
Size 40960 B
Aliases Trojan-Clicker.Win32.Qupdate.f (Kaspersky)
  Myxq.trojan (McAfee)
  Trojan.Adclicker (Symantec)
  Clicker.Qupdate.F (BitDefender)
Short description

Win32/TrojanClicker.Qupdate.AA is a trojan which tries to promote certain web sites. The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­QUpdate.exe

In order to be executed on every system start, the modifies the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Load" = "%system%\­QUpdate.exe"
Other information

Win32/TrojanClicker.Qupdate.AA is a trojan which tries to promote certain web sites.


The trojan opens the following URLs:

  • http://www.newgao.com/8888888888/index8html
  • http://www.newgao.com/88888888888888/index8html/
  • http://www.newgao.com/8888888888888888888/index8html
  • http://www.newgao.com/888888888888888888888/index8html/
  • http://www.newgao.com/888888888888888888888/index8html66/

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


The trojan checks for Internet connectivity by trying to connect to the following servers:

  • www.baidu.com
  • www.sohu.com

The trojan modifies the following file:

  • %windir%\­win.ini

The written data contains the following string:

  • [NextOpen]
    • NextTime=下次OPEN %variable1% 分 %variable2% 秒!

A string with variable content is used instead of %variable1-2% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.