New Adware Trojan plays continuous audio ads

June 14, 2013

The Dell SonicWALL Threats Research team have discovered a new adware Trojan that plays a continous stream of audio advertisements in the background. The content of the ads can range from dating to politics. The audio can originate from various sources such as video links from youtube pages.

Infection Cycle:

The Trojan uses the following icon:

The following is a sample of DNS queries made by the Trojan:

The Trojan adds the following files to the filesystem:

  • %PROGRAMFILES%K14Rfeedsavcodec-53.dll
  • %PROGRAMFILES%K14Rfeedsavformat-53.dll
  • %PROGRAMFILES%K14Rfeedsavutil-51.dll
  • %PROGRAMFILES%K14RfeedsAwesomium.dll
  • %PROGRAMFILES%K14Rfeedsawesomium.log
  • %PROGRAMFILES%K14Rfeedsawesomium_pak_utility.exe
  • %PROGRAMFILES%K14Rfeedsawesomium_process.exe
  • %PROGRAMFILES%K14RfeedsCachedata_0
  • %PROGRAMFILES%K14RfeedsCachedata_1
  • %PROGRAMFILES%K14RfeedsCachedata_2
  • %PROGRAMFILES%K14RfeedsCachedata_3
  • %PROGRAMFILES%K14RfeedsCachef_000001 - 00004b
  • %PROGRAMFILES%K14RfeedsCacheindex
  • %PROGRAMFILES%K14RfeedsCookies
  • %PROGRAMFILES%K14Rfeedsgoogle_result.jpg
  • %PROGRAMFILES%K14Rfeedsicudt.dll
  • %PROGRAMFILES%K14Rfeedskworker.exe
  • %PROGRAMFILES%K14RfeedslibEGL.dll
  • %PROGRAMFILES%K14RfeedslibGLESv2.dll
  • %PROGRAMFILES%K14RfeedsLocal Storage
  • %PROGRAMFILES%K14RfeedsLocal
  • %PROGRAMFILES%K14Rfeedsreferers.txt
  • %PROGRAMFILES%K14RfeedsSDL.dll
  • %PROGRAMFILES%K14Rfeedssilentium.exe [Detected as GAV: Clicker.BDIK (Adware)]
  • %PROGRAMFILES%K14Rfeedsx86NPSWF32_11_5_502_135.dll
  • %PROGRAMFILES%K14Rfeedsyoutube_result.jpg
  • %PROGRAMFILES%K14Rlupdater.exe [Detected as GAV: MalAgent.G_2412 (Trojan)]
  • %PROGRAMFILES%K14Rsnupdater.exe [Detected as GAV: Clicker.BDHP (Adware)]
  • %PROGRAMFILES%K14Ruvname.conf
  • %PROGRAMFILES%K14Rversions.conf
  • %PROGRAMFILES%K14RWindowsService.exe [Detected as GAV: Clicker.BBII (Adware)]

The cache directory contains HTML data from webpages that it visits.

referers.txt contains the following data:


The Trojan requests a list of modules to download from a remote webserver and proceeds to download them. The modules are required for audio playback and downloading ads from sites:

The Trojan spawns multiple copies of silentium.exe and awesomium_process.exe:

An instance of silentium.exe was observed being spawned with the following commandline showing the source of one of the ads from

After a short period of time the victim is bombarded with various audio ads that play continuously in the background. Due to a number of instances of silentium.exe running, multiple ads are played over each other. The above commandline resulted in audio advertisments from a dating site being played in the background.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Clicker.BDIK (Adware)
  • GAV: Clicker.BDHP (Adware)
  • GAV: Clicker.BBII (Adware)
  • GAV: Clicker.BDHP_2 (Adware)
  • GAV: MalAgent.G_2412 (Trojan)