Sometimes, nothing that you can look at.
We are analyzing what appears to be a spike in PornClicker activity. The keenly named updater, up.exe, for this software downloads a jpg from smart-browser.com, a “sex browser” software distributor.
Jpeg files normally are a special format of image files commonly used for displaying pictures on the web. But this updater renames the downloaded jpegs to .dll and .exe extensions. They most likely are using the jpg extension on its downloaded executables to evade the simplest firewall and Url filtering schemes.
The delphi-written executable surprises us with a few camouflaging techniques. We are seeing it use multiple plays on Adobe’s trademarked name. For example, when up.exe is run and deletes itself, it uses the unusual suspended process/setthreadcontext technique mentioned in a previous post to start and inject Internet Explorer with its own code. Then, the code running within the IE process creates an “Adobe” directory within the user’s %Application Data% directory. This zombie Internet Explorer process downloads the udpi2.jpg file served from hxxp://smart- browser.com/ updatex/ udpi2.jpg, and renames the phony image file to rundtl.exe. Their code then creates a run registry key so that the app starts every time the machine is booted:
“C:\Documents and Settings\p\Application Data\Adobe\rundtl.exe” -sys
Hmm. Is it a pdf reader or Adobe’s download manager? No.
Instead, once running alongside another downloaded .jpg file renamed to an executable component (mdb.dll), the PornClicker connects to Yahoo!Messenger over http and starts spamming out messages like
“I know it’s been a while but check out my webpage and let me know if you wanna talk more”
It also begins to click on and pull down garbled urls.
Nothing to look at here:
ThreatFire’s name for it is “PuA.SmartBrowser.PornClicker”.
Note- The ThreatFire name has been updated to “Trojan.Injector”.