You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Clickbot.A

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Clickbot.A carries out the following actions:

  • It registers itself as a BHO (Browser Helper Object), in order to be run whenever Internet Explorer is run.
  • It notifies that it is installed on the computer, by accessing a PHP script in a certain website. It sends its version and a unique identificator.
  • It checks if there is an update of itself available. If so, it downloads and runs it.
  • It registers itself in a database of the control system. Then, it waits until it receives the order of clicking advertisements, which advertisements it must click and the keywords targeted.
  • This way, its controller aims to gain financial profit from illegitimate clicks on advertisements sponsored by a certain company, which does not get any visits to its website on return.

Infection strategy 

Clickbot.A creates the following files:

  • TEMP.WSF in the Windows temporary directory. This file is written in JavaScript, and deletes the Trojan file one it has carried out its actions.
  • IEHLEPERVY.DLL, in the Windows system directory. This file is a DLL (Dynamic Link Library), which is registered as BHO (Browser Helper Object).

 

Clickbot.A creates the following entries in the Windows Registry:

  • HKEY_CLASSES_ROOT\ CLSID\ {60F4F2F3-0AFB-4AEF-B21E-B03D1C95B49E
  • HKEY_CLASSES_ROOT\ CLSID\ {E89097ED-3400-411D-9647-D368C3311C98}
  • HKEY_CLASSES_ROOT\ IExplorerHelperVS.BrowserHook
  • HKEY_CLASSES_ROOT\ IExplorerHelperVS.BrowserHook.1
  • HKEY_CLASSES_ROOT\ IExplorerHelperVS.IExplorerHelper\ CLSID
  • HKEY_CLASSES_ROOT\ IExplorerHelperVS.IExplorerHelper\ CurVer
  • HKEY_CLASSES_ROOT\ IExplorerHelperVS.IExplorerHelper.1
  • HKEY_CLASSES_ROOT\ IExplorerHelperVS.IExplorerHelper.1\ CLSID
  • HKEY_CLASSES_ROOT\ Interface\ {68A7972B-AA41-4EE7-8A5F-F2986A0C2504}
  • HKEY_CLASSES_ROOT\ Interface\ {7A84FD4C-1853-458D-A878-B1860F93D2EF}
  • HKEY_CLASSES_ROOT\ TypeLib\ {2215C65C-89E2-4363-820A-8C46FD4A9C97}
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Browser Helper Objects\ {E89097ED-3400-411D-9647-D368C3311C98}
    By creating these entries, Clickbot.A is registered as BHO and activates whenever the Internet Explorer browser is run.

Means of transmission 

Clickbot.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

The executable file is written in the Assembler language, whereas the DLL is written in Visual C++. The executable file is 61,873 bytes in size, and it is compressed with FSG.