Author Topic: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?  (Read 16613 times)

Offline jbeall

  • Newbie
  • *
  • Posts: 15
Hi All,

Just today, Comodo Antivirus popped up with a warning that it had found the virus TrojWare.JS.TrojanClicker.Linker.H[at]14996 in several locations (all something like C:\Windows\SoftwareDistribution\Download\c0d181c8a9fb0e511c4472c233088a92\BITD950.tmp).

I quarantined the files in question, then deleted them, and I've been searching for more info on this virus to try and figure out how it got on my computer.  I run a clean system, I don't download software that I don't have good reason to trust, and I stay up to date on software updates.  So I'm a little concerned how this got on here, and if I could learn more about the virus I might be able to track down how it got on my machine.

But, all my searches are coming up blank--I can't find anything on the virus "TrojWare.JS.TrojanClicker.Linker.H[at]14996".

Anybody got a pointer for me?

  -Josh

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #1 on: July 25, 2009, 11:23:31 PM »
Hey it sounds like it MAY be a FP. Upload the sampled to www.virutstotal.com and post back the results please...
Windows 7 x64
AMD FX 8120, 8gb ram, ATI 6870 1gb

Offline jbeall

  • Newbie
  • *
  • Posts: 15
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #2 on: July 26, 2009, 06:17:26 AM »
What is an FP?

Also, the site http://www.virutstotal.com/ comes up as not found for me.  Did you mean a different site?
« Last Edit: July 26, 2009, 06:19:30 AM by jbeall »

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #3 on: July 26, 2009, 06:30:54 AM »
My mistake.. I was typing inbetween talking to my girlfriend  ;D

www.virustotal.com
^ Has multiple virus scanners you can scan a single file online this will help you tell whether the file is malacious or not..  FP = False Positive (false detection)
Windows 7 x64
AMD FX 8120, 8gb ram, ATI 6870 1gb

Offline jbeall

  • Newbie
  • *
  • Posts: 15
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #4 on: July 26, 2009, 08:57:05 PM »
Well, I would do that... except I already deleted the files!  :o

Guess that wasn't a smart thing to do.  :-\

Offline Ohke

  • Newbie
  • *
  • Posts: 7
    • Ohke's PC help etc., in Danish
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #5 on: July 28, 2009, 10:44:48 AM »
Hi jbeall ...

You just need to search a little diferent, in Google. Whit and without this  "  in your search.
If you search for only this   >   "Trojan.JS."   or by this    "TrojanClicker.Linker.H"
(   [at]14996  is maybe where it's located at  ?? )

You find that is a    Rootkit.Torjan.JS.TrojanClicker.Linker.H   you found and deleted...
Look see here  >   Sunbelt Malware Research Lab

"Trojan.JS."  is like a group name / first name....  and   "TrojanClicker.Linker.H"  is a specific name / like a surname.
A rootkit virus, trojan, spyware and worm is a malware program that may have administrator level access,
to all the network system.
What it does is, it burrow itself deep into the system and hide itself, making it almost invisible and hard to be removed and detected by antivirus.
However Rootkits which doesn't work in Safe Mode won't be detected, this way.
Don't know if you really have a Rootkit or not, or if it is just was a False Positive ( aka FP ).

But  there is a lot of programs from well-known Sites that have  Rootkit / stealth malware detectores,
GMER is one of them, but it so hard to do i by your self, if you don't know how to do it.
Read at this Page and find out some more...
http://www.bleepingcomputer.com/forums/topic221913.html

Best of Luck and
Regards Ohke
P.S.
I can higly Recommend this Program, to run in Safe Mode, it's a good deep scanner. ( and it's free )
Norman Malware Cleaner
( run's under OS ( operating systems ) Windows 98, Me, NT, XP, Vista and Windows 7 )
OBS.!! Wanted :
Person willing to seal gas leaks with candle.
Must be willing to travel.
If at first you don’t succeed,
Skydiving is not for you !!

Offline jbeall

  • Newbie
  • *
  • Posts: 15
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #6 on: July 28, 2009, 10:49:57 AM »
I actually did find that page in my searching, but it doesn't really give any useful information.  It says it's a Trojan, but that was obvious from the name.  I suppose knowing it was a rootkit might possibily be helpful, but despite the page title, it doesn't have any removal information, and it also has no information about attack vectors, or what the virus actually does once it gets on your machine.  Is it a key logger?  Is it part of a botnet?  Or what?

Thanks for the other links, I will run some more scans with various pieces of software.

Offline OmeletGuy

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2902
  • Dragon Theme Maker
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #7 on: July 28, 2009, 01:10:34 PM »
Look at the name.
TrojWare.JS.TrojanClicker.Linker.H[at]14996
             
JS means Java Script. TrojanClicker comes with a webpage that if you click any where it will ask you to download a file as far I have noticed. Linker i guess it links to a download.

This is nothing big no need to worry, and im very sure its not a FP.

« Last Edit: July 28, 2009, 02:03:06 PM by OmeletGuy »
Comodo Dragon themes, including windows Aero options. Download  Here

System Details: W7-64bit | 4GB DDR2 | Intel Core 2 Extreme X6800 | CIS 6.3 | Geforce 560 GTX

Offline jbeall

  • Newbie
  • *
  • Posts: 15
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #8 on: July 28, 2009, 01:48:31 PM »
How would it have gotten in C:\Windows\SoftwareDistribution\Download?  I would have thought that it would be in a temporary internet files folder or something.  I thought C:\Windows\SoftwareDistribution\Download was for actual executable binaries that got downloaded, e.g., desktop apps, windows updates, etc.  Not JS or other web content?

Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 871
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #9 on: July 28, 2009, 02:16:25 PM »
Hi jbeall,

Can you reproduce the steps you had prior to this event or somehow retrieve the file that you mentioned in your posts?

Having the file at our disposal will give us the opportunity to check whether it is malware or false positive.

Thanks,
Ionel

Offline jbeall

  • Newbie
  • *
  • Posts: 15
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #10 on: July 28, 2009, 02:34:18 PM »
Ok, I manually looked through my SoftwareDistribution\Download folder and found three more files that trigger this same error.

Unfortunately, I can't figure out how to actually get at the files.  Every program I open them in either says the file does not exist or gives me an empty file (I think because it thinks the file does not exist).

I can't copy them, I get "access denied" or "file does not exist" errors.

So, for the time being I've got them in Comodo AV's quarantine.  How do I get at them from there?  Where are these files?

  -Josh

Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 871
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #11 on: July 28, 2009, 03:21:20 PM »
Hi jbeall,

You cannot retrieve the files because CIS denied the access to them. These next steps have to be carefully done in order to retrieve them.

Temporarily disable the Antivirus, open CIS and go to Antivirus -> Quarantined Items, check the location of the files, click the ones that you belive they're false positives and hit restore.

Navigate to the mentioned location and create an archive protected by a password with these files, reactivate Antivirus and then submit the archive here in order to verify whether they're malware or false positives.

Regards,
Ionel

Offline jbeall

  • Newbie
  • *
  • Posts: 15
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #12 on: July 28, 2009, 04:03:00 PM »
No luck getting at the file, even with Comodo closed.  Here's a recording:
http://www.screencast.com/t/GucoFR0XLl

Offline jbeall

  • Newbie
  • *
  • Posts: 15
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #13 on: July 28, 2009, 04:06:14 PM »
The files are in Comodo's quarantine again--after recording this video, I restarted Comodo, had it scan those files, and when it picked up a virus I had it quarantine the files.

hailong.wang

  • Guest
Re: TrojWare.JS.TrojanClicker.Linker.H[at]14996 -- what is this virus?
« Reply #14 on: July 28, 2009, 08:46:08 PM »
No luck getting at the file, even with Comodo closed.  Here's a recording:
http://www.screencast.com/t/GucoFR0XLl
Hi jbeall,

We have seen the link,but can't get the sample from the video.Pls do as what ionelp said,and closed the realtime scanner of CIS briefly,zipped the file,and upload it to the forum.So that we can have a look at it.

Regards,
hailong.wang
« Last Edit: July 28, 2009, 08:51:32 PM by hailong.wang »

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek