Trojan:Win32/C2Lop is a trojan that modifies Web browser settings, adds Web browser bookmarks to advertisements, updates itself and delivers pop-up and contextual advertisements.
Installation
C2Lop may be distributed in a software package called 'MessengerPlus!', an add-on for MSN Messenger (identified as "Program:Win32/MessengerPlus"). C2Lop generally consists of the following components:
When installed, C2Lop may create the following folders that contain these components:
%APPDATA%\bat date
%APPDATA%\fork option
%APPDATA%\licensebagstwo
%APPDATA%\media heart second balm
%APPDATA%\plandraw
%APPDATA%\roadjugsrulebarb
%APPDATA%\the grim
%APPDATA%\the two bolt
%TEMP%\delete.me
%ALLUSERSPROFILE%\Application Data\store surf seek corn\
%ALLUSERSPROFILE%\Application Data\filmchicpartbind
%ProgramFiles%\adverts
%ProgramFiles%\c2media
%ProgramFiles%\plandraw
%ProgramFiles%\window active
The components may use any of several filenames, as in the following examples:
%APPDATA%\The two bolt\25F5C860
%APPDATA%\The two bolt\help readme internet bold.exe
%APPDATA%\The two bolt\MODE ACE 01.exe
%APPDATA%\The two bolt\okiwoayk.exe
%APPDATA%\The two bolt\Support bits free.exe
%TEMP%\bis4.exe
%ALLUSERSPROFILE%\Application Data\store surf seek corn\AUDIO WAY TIME
%ALLUSERSPROFILE%\Application Data\store surf seek corn\Camp bits.exe
%ProgramFiles%\Adverts\uninst.exe
The installer for C2Lop may create several bookmarks in the Favorites folder of Internet Explorer and the current user profile:
%USERPROFILE%\Favorites\online gaming
%USERPROFILE%\Favorites\computers
%USERPROFILE%\Favorites\internet
%USERPROFILE%\Favorites\shopping gifts
%USERPROFILE%\Favorites\travel
%USERPROFILE%\Favorites\cool stuff
%USERPROFILE%\Favorites\adult items
%USERPROFILE%\Favorites\adult entertainment
%USERPROFILE%\Favorites\dating
Some variants of C2Lop may drop shortcuts to various other Web sites onto the user's desktop as in the following example types:
Cellphone ringtones
Rogue AS/AV products
Poker games
The registry may be modified to run C2Lop at each Windows start.
Adds value: "Flag dead"
With data: "%APPDATA%\The two bolt\MODE ACE 01.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "Seek Corn Rdr Less"
With data: "%ALLUSERPROFILES%\Application Data\store surf seek corn\Camp bits.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Other registry values and data may be created by the C2Lop installer as in the following examples:
Adds key: "curb mp3 bikefast"
To subkey: HKCU\Software\
Adds key: "okay build"
To subkey: HKCU\Software\curb mp3 bikefast
Adds key: "math hide"
To subkey: HKCU\Software\curb mp3 bikefast
Adds key: "FOUR BOWS JUMP"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion
Adds key: atomwarn
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\FOUR BOWS JUMP
Adds value: balltick
With data: <random characters>
To subkey: HKCU\Software\1ActiveAmok
C2Lop may launch the Web browser Internet Explorer (IE) from the file path "%ProgramFiles%\Internet Explorer\iexplore.exe" and inject its own code into the IE process.
Payload
Downloads Components
C2Lop may connect to the following remote Web sites then download and execute other components:
The trojan may connect to one other site that uses a variable domain name:
<random>.bins.dns-look-up.com
Upon successful installation, unwanted pop-ups and advertisements may be displayed on the desktop of the affected machine.
Modifies Hosts File
Some variants modify the local hosts file to redirect Web browser connection attempts to domains linked with WinFixer to the localhost, as in the following examples:
127.0.0.1 secure.errorsafe.com ## added by CiD
127.0.0.1 secure.winantispam.com ## added by CiD
127.0.0.1 secure.winantispy.com ## added by CiD
127.0.0.1 secure.winantivirus.com ## added by CiD
Displays Links
The C2Lop BHO component takes advantage of mistyped or invalid URLs entered in the Web browser, redirecting those attempts to various sponsored Web sites. When broken URLS are entered into the address bar of Internet Explorer, C2Lop may display links to sponsored Web sites.
Analysis by Jaime Wong