1. /
  2. Security Response/
  3. FakeCloudAV2012

FakeCloudAV2012

Updated:
January 13, 2012 2:23:05 AM
Type:
Misleading Application
Name:
CloudAV2102
Risk Impact:
Medium
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Behavior
The program reports false or exaggerated system security threats on the computer.







The user is then prompted to pay for a full license of the application in order to remove the threats.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Local Settings\Application Data\[THREE RANDOM LETTERS].exe
  • %UserProfile%\Local Settings\Application Data\2e01oq0m46k223
  • %UserProfile%\Local Settings\Temp\[RANDOM FILE NAME]
  • %UserProfile%\Templates\[RANDOM FILE NAME]


Next, it creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DisableNotifications" = "1"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DisableNotifications" = "1"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DisableNotifications" = "1"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DisableNotifications" = "1"


It then modifies the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusDisableNotify" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallDisableNotify" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UpdatesDisableNotify" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallOverride" = "0"


The program then deletes the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUAUSERV
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver