TrojanClicker:Win32/Zirit.X is a generic detection for several variants of a trojan DLL which repeatedly visits web pages it is instructed to visit by a remote server. It may also result in the display of pop-ups.
Installation
TrojanClicker:Win32/Zirit.X is a DLL which is generally written to disk and launched by a dropper file or another piece of malware.
When launched, it makes the following registry modifications:
Under key: HKCR\CLSID\<class id>\InProcServer32\
Adds value: (Default)
With data: <full pathname of dll>
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Adds value: <filename of dll without the extension>
With data: <class id>
For example, one variant was observed to use the following:
Under key: HKCR\CLSID\{48dfdc2f-664d-4de6-b951-e0f4dd21dfc2}\InProcServer32\
Adds value: (Default)
With data: <system folder>\SysMon.dll
Under key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Adds value: SysMon
With data: "{48dfdc2f-664d-4de6-b951-e0f4dd21dfc2}"
It periodically rewrites these modifications in an attempt to prevent them from being deleted.
Payload
Contacts Remote Server/Receives Instructions
Every 10 minutes the trojan contacts a server at setup.jobusiness.org, or an alternate server whose location is retrieved from a list stored in the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\domains
The server may respond with the location of a further server to contact for instructions. These instructions may include:
- Repeatedly visit certain websites (presumably in order to collect per-click payments)
- Update the list of servers to use (stored in the above registry entry)
- Display pop-ups using a web browser
Modifies Internet Security Settings
Some variants of TrojanClicker:Win32/Zirit.X modify Internet security settings by making the following registry modifications:
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Set Value: "ProxyBypass”
With Data: 1
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Set Value: "GlobalUserOffline"
With Data: 0
Analysis by David Wood