1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Cleanator Activity

HTTP Cleanator Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application Cleanator.

Additional Information

When the program is executed, it creates the following files:

* %UserProfile%\Local Settings\Temp\is-0A3OH.tmp\CleanatorSetup.tmp
* %UserProfile%\Local Settings\Temp\is-T4L7T.tmp\_isetup\_RegDLL.tmp
* %UserProfile%\Local Settings\Temp\is-T4L7T.tmp\_isetup\_shfoldr.dll
* C:\Documents and Settings\All Users\Start Menu\Programs\Cleanator\Cleanator on the Web.url
* C:\Documents and Settings\All Users\Start Menu\Programs\Cleanator\Uninstallator.lnk
* %ProgramFiles%\Cleanator\Cleanator.ico
* %ProgramFiles%\Cleanator\logo_small_16.ico
* %ProgramFiles%\Cleanator\Recycle.ico
* %ProgramFiles%\Cleanator\unins000.dat
* %ProgramFiles%\Cleanator\unins000.exe
* %UserProfile%\Desktop\CleanatorSetup.exe
* C:\Documents and Settings\All Users\Desktop \Cleanator.lnk
* C:\Documents and Settings\All Users\Start Menu\Programs\Cleanator\Cleanator.lnk
* %ProgramFiles%\Cleanator\Cleanator.exe
* %ProgramFiles%\Cleanator\ClShl.dll



The program then creates the following folders

* %UserProfile%\Local Settings\Temp\is-0A3OH.tmp
* %UserProfile%\Local Settings\Temp\is-T4L7T.tmp
* %UserProfile%\Local Settings\Temp\is-T4L7T.tmp\_isetup
* C:\Documents and Settings\All Users\Start Menu\Programs\Cleanator
* %ProgramFiles%\Cleanator


Next, the program creates the following registry entry/ies so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Cleanator" = "C:\Program Files\Cleanator\Cleanator.exe"

The program creates the following registry entries:

* HKEY_CLASSES_ROOT\CLSID\{C0B1EE11-95EB-4C43-8A65-B49BFAF18FD4}\"default" = "Secure Delete"
* HKEY_CLASSES_ROOT\CLSID\{C0B1EE11-95EB-4C43-8A65-B49BFAF18FD4}\InprocServer32\"ThreadingModel" = "Apartment"
* HKEY_CLASSES_ROOT\CLSID\{C0B1EE11-95EB-4C43-8A65-B49BFAF18FD4}\InprocServer32\"default" = "C:\PROGRA~1\CLEANA~1\ClShl.dll"
* HKEY_CLASSES_ROOT\Cleanator\shellex\"default" = ""
* HKEY_CLASSES_ROOT\Cleanator\shellex\ContextMenuHandlers\"default" = ""
* HKEY_CLASSES_ROOT\Cleanator\shellex\ContextMenuHandlers\ContMenu\"default" = "{C0B1EE11-95EB-4C43-8A65-B49BFAF18FD4}"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\"AppVersion" = "2.4"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"10" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"11" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"12" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"13" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"14" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"15" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"16" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"17" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"18" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"19" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"20" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"21" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"22" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"23" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"24" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"25" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"26" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"27" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"28" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"29" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"30" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"31" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"32" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"33" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"34" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"35" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"36" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"37" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"38" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"39" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"40" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"41" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"42" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"43" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"44" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"45" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"4" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"5" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"6" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"7" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"8" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\AdvSet\"9" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"10" = "Chkdsk file fragments"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"11" = "Windows DLL cache"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"12" = "Windows run history"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"13" = "Windows find files history"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"14" = "Open/Save dialogs history"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"15" = "Recently accessed files list"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"16" = "IE temporary internet files"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"17" = "IE cookies"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"18" = "IE recently typed URLs"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"19" = "IE browser history"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"20" = "Opera internet cache"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"21" = "Opera cookies"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"22" = "Opera browser history"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"23" = "Firefox(Mozilla) internet cache"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"24" = "Firefox(Mozilla) cookies"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"25" = "Firefox(Mozilla) download history"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"26" = "Firefox(Mozilla) browser history"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"27" = "AOL log files"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"28" = "AOL downloaded files"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"29" = "AOL recently typed messages"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"30" = "MSN log files"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"31" = "MSN downloaded files"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"32" = "MSN recently typed messages"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"33" = "ICQ log files"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"34" = "ICQ downloaded files"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"35" = "ICQ recently typed messages"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"4" = "Temporary folders"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"5" = "Recycle bin"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"6" = "Windows clipboard history"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"7" = "Windows update files"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"8" = "Prefetch contents"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Items\"9" = "Windows log files"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Set\"Error" = "DAB"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Set\"OnStratup" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Set\"Recicle" = "0"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Set\"ScanTime" = "0"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Set\"SecureDel" = "0"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Temp\"Backup files" = "*.bak;*.old;*.syd"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Temp\"Help Temporary files" = "*.gid;*.chw"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Temp\"Office Temporary files" = "*.~$*"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Temp\"Saved Search Files" = "*fnd"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Temp\"Temporary files" = "*.tmp;*._mp"
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator\Temp\"Type" = "Search strings"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{C0B1EE11-95EB-4C43-8A65-B49BFAF18FD4}" = "Secure Delete"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"DisplayIcon" = "C:\Program Files\Cleanator\Cleanator.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"DisplayName" = "Cleanator (remove only)"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"HelpLink" = "http://cleanator.com/"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"Inno Setup" = "App Path"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"Inno Setup" = "Icon Group"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"Inno Setup" = "Setup Version"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"Inno Setup" = "User"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"InstallDate" = "20080117"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"InstallLocation" = "C:\Program Files\Cleanator\"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"NoModify" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"NoRepair" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"QuietUninstallString" = ""C:\Program Files\Cleanator\unins000.exe" /SILENT"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"URLInfoAbout" = "http://cleanator.com/"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"URLUpdateInfo" = "http://cleanator.com/"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1\"UninstallString" = "C:\Program Files\Cleanator\unins000.exe"


It also creates the following registry subkeys:

* HKEY_CLASSES_ROOT\Cleanator
* HKEY_LOCAL_MACHINE\SOFTWARE\Cleanator
* HKEY_CLASSES_ROOT\CLSID\{C0B1EE11-95EB-4C43-8A65-B49BFAF18FD4}
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cleanator_is1

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Vista
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube