Trojan.Clagger

Trojan.Clagger is a Trojan horse that attempts to download and execute a file from the Internet.

The Trojan reportedly arrives as an email attachment ebay_rechnung.pdf.exe.

Once executed, the Trojan creates the following files:
%System%\ipf.exe
%System%\drivers\winut.dat

It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"IPF" = "%System%\ipf.exe"

The Trojan creates the following registry entry as an infection marker:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"WindowsShell" = "1"

The Trojan also modifies the following registry entries to allow it to bypass the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[PATH TO THE TROJAN]" = "[PATH TO THE TROJAN]:*:Enabled:[TROJAN FILENAME]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%System%\ipf.exe" = "%System%\ipf.exe%:*:Enabled:ipf"

Next, the Trojan attempts to download one of the following text files that contains an encrypted URL.
http://dbspider.net/approach-som/images/outt.txt
http://leads4sales.co.uk/images/main/outcozm.txt
http://soloaguia.com/imagens/3/staut.txt
http://dynafilmes.com.br/imagens/3/statm.txt
http://spbfp.atlant.ru/sys/sys/stats.txt
http://soloaguia.com/imagens/staat.txt
http://docslv.com/gallery/bridge/i.txt
http://dynafilmes.com.br/imagens/stat0.txt
http://dreadwolf.net/u.txtw
http://spbfp.atlant.ru/sys/stat0.txt
http://actsmiley.co.uk/img/hoh.txt

The Trojan then decrypts the encrypted URL, which is the following URL, and downloads an executable file from the URL:
http://cwmdulais.org.uk/images/93.exe

At the time of writing, there was no file available at the URL.

Summary