Skip navigation.
Home

win_trojan.adclicker

Event: Threat Found!
Threat: Trojan.Adclicker
File: C:\malware\Bjq.exe
md5sum: 5237f35ccb015205d01262a19879017b Blq.exe
sha1sum: 3122a37f1bb6ca59ba3e2cf436543a0abbfbf155 Blq.exe
info: 9729 Mar 30 2005 Blq.exe
Date found: Saturday, December 17, 2005 8:09:58 PM

PE Protection: Scanning -> C:\malware\bluemountain\Blq.exe
File Type : Exe, Size : 9729 (02601h) Bytes
-> File has 1 (01h) bytes of appended data starting at offset 02600h
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.922 Seconds
Nothing found [Overlay] *

This is interesting. I have a big directory full of all kinds of malware from a malicious email that I purposely infected a vmware with. I decided to use the nepenthes bdiffm tool to see if any of them were the same thing. The results were awesome and I guess I don't have to analyze all those binaries :)

./bdiffm $( find -size 1980c )
bdiffm version 1927 built Dec 13 2005 21:56:16
01 ./Qob.exe 0x00002601 0xb7fb8000
02 ./Rds.exe 0x00002601 0xb7fb5000
03 ./Omr.exe 0x00002601 0xb7fb2000
04 ./Bvr.exe 0x00002601 0xb7faf000
05 ./Blq.exe 0x00002601 0xb7fac000
06 ./Eld.exe 0x00002601 0xb7fa9000
07 ./Uhf.exe 0x00002601 0xb7fa6000
08 ./Pbs.exe 0x00002601 0xb7fa3000
09 ./Fua.exe 0x00002601 0xb7f9b000
10 ./Vtr.exe 0x00002601 0xb7f98000
11 ./ms1.txt 0x00002601 0xb7f95000
12 ./Mas.exe 0x00002601 0xb7f92000
13 ./Rvf.exe 0x00002601 0xb7f8f000
14 ./Bds.exe 0x00002601 0xb7f8c000
15 ./Drl.exe 0x00002601 0xb7f89000
16 ./Cqn.exe 0x00002601 0xb7f86000
17 ./ms1.exe 0x00002601 0xb7f83000
18 ./Bnf.exe 0x00002601 0xb7f80000
19 ./Bjq.exe 0x00002601 0xb7f7d000
20 ./Tlo.exe 0x00002601 0xb7f7a000
21 ./Vjj.exe 0x00002601 0xb7f77000
22 ./Ges.exe 0x00002601 0xb7f74000

Comparing 22 files.

| 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22
----+------------------------------------------------------------------------------------------------------------------------------------
01 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
02 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
03 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
04 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
05 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
06 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
07 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
08 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
09 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
10 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
11 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
12 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
13 | 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
14 | 100% 100% 100% 100% 100% 100% 100% 100% 100%
15 | 100% 100% 100% 100% 100% 100% 100% 100%
16 | 100% 100% 100% 100% 100% 100% 100%
17 | 100% 100% 100% 100% 100% 100%
18 | 100% 100% 100% 100% 100%
19 | 100% 100% 100% 100%
20 | 100% 100% 100%
21 | 100% 100%
22 | 100%

EDIT (ivans): I've attached reversed C code.