1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP MyCleanerPC Activity

HTTP MyCleanerPC Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects activities of misleading application MyCleanerPC.

Additional Information

When MyCleanerPC is installed on the computer, it creates the following files:

* %UserProfile%\Cookies\administrator@ads.mybetterpc[1].txt
* %UserProfile%\Local Settings\Temp\GLB2E.tmp
* %UserProfile%\Local Settings\Temp\~[6 RANDOM HEX DIGITS].tmp
* %UserProfile%\Start Menu\Programs\myCleanerPC\About myCleanerPC.lnk
* %UserProfile%\Start Menu\Programs\myCleanerPC\MyCleanerPC.lnk
* %UserProfile%\Start Menu\Programs\myCleanerPC\Uninstall myCleanerPC.lnk
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\1.jpg
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\2.jpg
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\3.jpg
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\4.jpg
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\5.jpg
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\CleanerDefs.css
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\error.log
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\history.dat
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\schedule.dat
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\Signatures.dat
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\stats.log
* %SystemDrive%\Documents and Settings\All Users\Application Data\myCleanerPC\user.dat
* %ProgramFiles%\myCleanerPC\clean.swf
* %ProgramFiles%\myCleanerPC\clean1.swf
* %ProgramFiles%\myCleanerPC\DNRProject.dll
* %ProgramFiles%\myCleanerPC\myCleanerPC.exe
* %ProgramFiles%\myCleanerPC\Setup.INI



It may also create the following files, which are related to legitimate software:

* %System%\Flash.ocx
* %System%\mcpcuninstaller1_25.EXE
* %System%\Msinet.ocx
* %System%\MSVBVM60.DLL
* %System%\msxml3.inf
* %System%\msxml3a.dll
* %System%\TabCtl32.ocx
* %System%\vbar332.dll
* %System%\zlib.dll



Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Run\"myCleanerPC" = "C:\PROGRA~1\MYCLEA~1\myCleanerPC.exe"

The program also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\Program Files\myCleanerPC\DNRProject.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\comdlg32.ocx" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\vbar332.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\Msinet.ocx" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\zlib.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\msxml3r.dll" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\msxml3a.dll" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\msxml3.dll" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\scrrun.dll" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\Flash.ocx" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\"C:\WINDOWS\system32\TabCtl32.ocx" = "1"

The program then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41765812-F0D1-4837-9662-5FBCD9CC2DEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F81B064-E53B-48CD-98DD-84ABD18D4CBE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72556741-56FD-45A8-93DA-EE5EE41B908A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9BD6A9A7-7D88-4658-8BE4-1AA69174F8AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A582B627-CE65-4BA7-B44F-8B9609193C32}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB9F5DD2-427A-4CE3-9522-3756BF2F0048}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE94BD95-408C-4506-BA90-2FAACB173927}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B6B86368-2787-49B2-9054-F32B4B839AF1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F30973B1-DD06-4885-8C39-EE3CED95061F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1295E3D3-FDC8-4A3E-8E60-C6031601D08D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{14627BD3-6C96-4B5F-AA47-941CB370BB94}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{244DB87B-7310-46DB-A7B8-651B8AEC8648}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26953A7A-BC68-496E-A479-AE975B0BFC6A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7265B88D-C685-4290-8B25-3659F8626031}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{908099C8-E0C7-4787-B084-96F915383598}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF6015BD-186A-4E60-A08E-0FC1C53324D9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BC978724-6C36-4F11-9A63-E85834BA344F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC03D597-A404-4B95-8544-FD215925B677}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBA4C028-544C-4D46-8D96-87E12B655CDD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FA6EEA37-5D54-490F-801E-DC0AD91C1045}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FC912F2E-A101-4015-B822-7D2D71D15545}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{472FA6ED-4A44-49BA-8241-7CA38806C618}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cCookie
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cErrorLog
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cHistory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cRegistryRoutines
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cScheduler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cThreatLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.cUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DNRProject.DNRDirector
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\myCleanerPC

It also creates the following registry subkeys, which are related to legitimate software:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.mfp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sor
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InetCtls.Inet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InetCtls.Inet.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TabDlg.SSTab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TabDlg.SSTab.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C

The program then prompts the user to purchase a registered version of the software in order to remove the reported threats.

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube